fix(ci): scope nightly.yaml writes to per-job permissions (#929)

Top-level `permissions: { contents: write, packages: write, id-token: write }`
on nightly.yaml granted every job in the workflow the union of all writes
any one job needed, including jobs that only consume read-only inputs. The
Scorecard `TokenPermissionsID` rule flags this as the most severe form of
over-grant because top-level writes propagate to every reuse-called
workflow as the upper bound.

Drop the top-level to `contents: read` and raise per-job only where the
job actually writes:

  - build:               contents: read, packages: write
                         (forwarded to _build.yaml for NuGet/vcpkg writes
                          to ghcr.io via VCPKG_BINARY_SOURCES=...readwrite)

  - cleanup-prereleases: contents: write
                         (git push origin --delete <tag> and gh release
                          delete; the tag deletion requires repo write)

  - prerelease:          contents: write, id-token: write
                         (forwarded to _release.yaml for tag push +
                          gh release create + Sigstore keyless signing)

  - docker:              contents: read, packages: write
                         (forwarded to _docker.yaml for ghcr image push;
                          matches release.yaml's docker job pattern)

  - init:                no override, inherits top-level read
                         (_init.yaml is read-only — extracts versions
                          from package.json via jq and stamps github.sha)

The grants mirror the canonical pattern already in place in release.yaml
(committed in the prior TokenPermissionsID cleanup pass that closed #513
and #515 on _build.yaml and _init.yaml).

Closes Scorecard TokenPermissionsID alerts #566 (topLevel contents:write)
and #567 (topLevel packages:write).

The remaining 10 TokenPermissionsID alerts on this repo (#451, #452, #454,
#455, #489, #490, #604, #635, #649, #650) flag job-level writes that are
required for the job's function (ghcr image push, GitHub release publish,
artifact cleanup, model-sync commits). Those are being dismissed
separately with "won't fix" + per-alert justification — Scorecard
penalizes any write, including the unavoidable kind.

Author: anandray

.github/workflows/nightly.yaml

@@ -9,10 +9,11 @@ concurrency:
   group: nightly
   cancel-in-progress: true
 
+# Top-level least-privilege. Individual jobs below raise to write only
+# where they actually need it (image push, tag/release publish, prerelease
+# cleanup). Closes Scorecard TokenPermissionsID #566 and #567.
 permissions:
-  contents: write
-  packages: write
-  id-token: write
+  contents: read
 
 # Triggered when develop's CI run completes successfully — this is the
 # gate. A red CI on develop (whether from a bad merge, a flaky test, or
@@ -83,6 +84,9 @@ jobs:
     name: Build
     needs: init
     uses: ./.github/workflows/_build.yaml
+    permissions:
+      contents: read
+      packages: write
     with:
       ref: ${{ github.event.workflow_run.head_sha || github.ref }}
       full_version: ${{ needs.init.outputs.full_server_version }}
@@ -97,6 +101,8 @@ jobs:
     name: Clean up prereleases
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Check out repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -130,6 +136,9 @@ jobs:
     name: Prerelease
     needs: [init, build, cleanup-prereleases]
     uses: ./.github/workflows/_release.yaml
+    permissions:
+      contents: write
+      id-token: write
     with:
       ref: ${{ github.event.workflow_run.head_sha || github.ref }}
       prerelease: true
@@ -144,6 +153,9 @@ jobs:
     name: Docker
     needs: [init, build]
     uses: ./.github/workflows/_docker.yaml
+    permissions:
+      contents: read
+      packages: write
     with:
       ref: ${{ github.event.workflow_run.head_sha || github.ref }}
       server_version: ${{ needs.init.outputs.server_version }}