Reduce GitHub Actions workflow permissions

[coisa]

Objective

Reduce GitHub Actions workflow permissions to the minimum required permissions per workflow and job.

Current Limitation

Some workflows declare broad permissions at the workflow level even when individual jobs only need read access or a narrower write scope. This increases the blast radius of workflow bugs or compromised dependencies.

Proposed Work

Audit .github/workflows/*.yml and resources/github-actions/*.yml, then narrow workflow and job permissions without breaking existing automation.

Scope

• Review tests, reports, wiki, label sync, auto-assign, and packaged workflow stubs.
• Move permissions from workflow-level to job-level where that makes access clearer.
• Keep write permissions only where commits, deployments, labels, comments, or preview cleanup require them.
• Preserve required permissions for Pages deployments, wiki branch pushes, PR comments, and label operations.
• Document any permission that cannot be reduced.

Non-goals

• Rewriting workflow behavior.
• Replacing actions used by current workflows.
• Changing branch protection or repository settings.

Acceptance Criteria

Delivery Criteria

• Test-only jobs use read-only permissions unless a write permission is demonstrably required.
• Pages deployment jobs keep only pages: write and id-token: write plus any required read permission.
• Wiki preview/publish jobs keep the minimum permissions required to push branches and read pull request metadata.
• PR comment or label jobs declare the specific write permissions they need.
• Packaged workflow stubs remain compatible with reusable workflows.
• Workflow validation or CI confirms the permission changes do not break existing jobs.

Architectural / Isolation Criteria

• Permissions are documented through clear YAML structure rather than implicit broad defaults.
• Permission changes are scoped to workflow files.
• The implementation keeps reusable workflow callers and callees aligned.