Add explicit permissions to all workflow jobs for security

Co-authored-by: thoughtparametersllc <194255310+thoughtparametersllc@users.noreply.github.com>

Author: Copilot

.github/workflows/changelog-check.yml

@@ -12,6 +12,8 @@ jobs:
   check-changelog:
     name: Verify Changelog Updated
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/lint-test.yml

@@ -14,6 +14,8 @@ jobs:
   lint-python:
     name: Lint Python Files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -54,6 +56,8 @@ jobs:
   lint-yaml:
     name: Lint YAML Files
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -82,6 +86,8 @@ jobs:
   test-update-badges:
     name: Test update_badges.py
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -127,6 +133,8 @@ jobs:
   shellcheck:
     name: Shellcheck
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -141,6 +149,8 @@ jobs:
   security-scan:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -172,6 +182,8 @@ jobs:
   test-summary:
     name: All Checks Complete
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: 
       - lint-python
       - lint-yaml

.github/workflows/release.yml

@@ -17,6 +17,8 @@ jobs:
   check-changelog:
     name: Check Changelog
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       has_unreleased: ${{ steps.check.outputs.has_unreleased }}
       release_notes: ${{ steps.extract.outputs.release_notes }}
@@ -61,6 +63,8 @@ jobs:
   determine-version:
     name: Determine Next Version
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: check-changelog
     if: needs.check-changelog.outputs.has_unreleased == 'true' || github.event_name == 'workflow_dispatch'
     outputs:
@@ -210,6 +214,8 @@ jobs:
   marketplace-submission:
     name: Marketplace Submission Info
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: create-release
     steps:
       - name: Marketplace submission info
@@ -235,6 +241,8 @@ jobs:
   workflow-summary:
     name: Release Summary
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:
       - create-release
       - marketplace-submission

.github/workflows/security-audit.yml

@@ -17,6 +17,8 @@ jobs:
   dependency-review:
     name: Dependency Review
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     if: github.event_name == 'pull_request'
     steps:
       - name: Checkout repository
@@ -30,6 +32,8 @@ jobs:
   python-security-scan:
     name: Python Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -119,6 +123,8 @@ jobs:
   secret-scanning:
     name: Secret Scanning
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -136,6 +142,8 @@ jobs:
   workflow-security:
     name: Workflow Security Check
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -177,6 +185,8 @@ jobs:
   security-summary:
     name: Security Summary
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:
       - python-security-scan
       - codeql-analysis

.github/workflows/test-action.yml

@@ -24,6 +24,8 @@ jobs:
   test-basic-linting:
     name: Test Basic Linting
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -51,6 +53,8 @@ jobs:
   test-custom-options:
     name: Test Custom Linting Options
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -81,6 +85,8 @@ jobs:
   test-requirements-file:
     name: Test With Requirements File
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -115,7 +121,7 @@ jobs:
     name: Test Badge Generation
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -162,7 +168,7 @@ jobs:
     name: Test README Update
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -214,6 +220,8 @@ jobs:
   test-update-badges-script:
     name: Test update_badges.py Script
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -274,6 +282,8 @@ jobs:
   test-python-versions:
     name: Test Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         python-version: ['3.9', '3.10', '3.11', '3.12']
@@ -304,6 +314,8 @@ jobs:
   test-summary:
     name: Test Summary
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: 
       - test-basic-linting
       - test-custom-options