Harden Claude release workflow security

[leighmcculloch]

What

Apply a best practice to the automated_release_process workflow:

• Move the broad contents: write/pull-requests: write/issues: write/id-token: write scope from workflow level to the single job that needs it; set top-level permissions: {} so any future job added to this file inherits nothing by default.

Why

This is pretty minor, but brings this workflow in line with the Claude-action security standards being applied across the stellar org (see stellar/stellar-core PR #5258 and the claude-code-action security guide). Without permissions: {} at the workflow root, any future job added to this file would silently inherit the broad write scopes. Moving them to the job level limits the blast radius if this workflow expands in the future.

[Copilot]

Pull request overview

This PR hardens the automated_release_process GitHub Actions workflow by removing broad default GITHUB_TOKEN permissions at the workflow level and scoping them to the specific job that requires write access. This reduces risk if additional jobs are added later, by ensuring they inherit no token permissions unless explicitly granted.

Changes:

• Set workflow-level permissions: {} to revoke all default GITHUB_TOKEN scopes for the workflow.
• Add job-level permissions to create-release to retain required write capabilities (contents, PRs, issues, OIDC).

[stellar-jenkins-ci]

stellar-disbursement-platform-backend-preview is available here:
SDP: https://sdp-backend-pr1130.previews.kube001.services.stellar-ops.com/health
AP: https://sdp-ap-pr1130.previews.kube001.services.stellar-ops.com/health
Frontend: https://sdp-backend-dashboard-pr1130.previews.kube001.services.stellar-ops.com

[marwen-abid]

LGTM! Thank you for this 🙏