fix(ci): add least-privilege permissions to workflow files

[waveywaves]

Summary

Add top-level permissions blocks to workflow files following the two-tier permission pattern recommended by OpenSSF Scorecard. This tightens the default GITHUB_TOKEN scope so that each job only receives the permissions it explicitly declares.

Changes

• stale.yml: added permissions: {} at workflow level (job-level issues: write + pull-requests: write already correct)
• build_external_container_images.yaml: moved packages: write from workflow level to job level; set workflow level to permissions: { contents: read }
• codeql.yml: removed id-token: write from workflow level (kept contents: read); job level already has id-token: write

Full 12-Workflow Audit

#	Workflow file	Workflow-level permissions	Status
1	author_verification.yml	read-all	Already compliant
2	build_external_container_images.yaml	contents: read (was also packages: write)	Fixed - moved packages: write to job level
3	codeql.yml	contents: read (was also id-token: write)	Fixed - removed id-token: write; job already declares it
4	lint.yml	contents: read, pull-requests: read	Already compliant (read-only)
5	package_chart.yaml	read-all	Already compliant (job has packages: write + id-token: write)
6	release.yaml	read-all	Already compliant (jobs declare write perms as needed)
7	scm_configuration_check.yaml	read-all	Already compliant
8	scorecards.yml	read-all	Already compliant
9	secrets-scan-daily.yml	read-all	Already compliant
10	stale.yml	{} (was missing entirely)	Fixed - added empty block with comment; job has issues: write + pull-requests: write
11	sync_contracts.yml	read-all	Already compliant
12	test.yml	contents: read	Already compliant (read-only)

Result: 3 workflows fixed, 9 were already compliant. All 12 workflow files now follow the least-privilege two-tier pattern.

Test Plan

• Verify stale.yml workflow runs correctly (cron or manual dispatch) with the new top-level permissions: {}
• Verify build_external_container_images.yaml workflow can still build and push container images with packages: write now at job level
• Verify codeql.yml workflow still generates SLSA provenance with id-token: write only at job level
• Re-run OpenSSF Scorecard to confirm the Token-Permissions check score improves (currently flagged in issue Fix OpenSSF Scorecard token-permissions check (currently 0/10) #2841)

Fixes #2841

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/attestation/crafter/collector_aiagentconfig.go">

<violation number="1" location="pkg/attestation/crafter/collector_aiagentconfig.go:105">
P1: Deterministic file name in `/tmp` replaces `CreateTemp`, introducing predictable temp-file path risk (pre-creation/symlink attack surface).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P1: Deterministic file name in /tmp replaces CreateTemp, introducing predictable temp-file path risk (pre-creation/symlink attack surface).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At pkg/attestation/crafter/collector_aiagentconfig.go, line 105:

<comment>Deterministic file name in `/tmp` replaces `CreateTemp`, introducing predictable temp-file path risk (pre-creation/symlink attack surface).</comment>

<file context>
@@ -99,20 +100,16 @@ func (c *AIAgentConfigCollector) uploadAgentConfig(
-		tmpFile.Close()
+	// Use a deterministic filename based on the config hash so that retries
+	// produce the same file path and avoid duplicate CAS uploads.
+	tmpPath := filepath.Join(os.TempDir(), fmt.Sprintf("ai-agent-config-%s-%s.json", agentName, data.ConfigHash[:12]))
+	if err := os.WriteFile(tmpPath, jsonData, 0o600); err != nil {
 		return fmt.Errorf("writing temp file: %w", err)
</file context>

[waveywaves]

@jiparis @migmartri gentle ping — this is ready for review. All CI green. Adds least-privilege permissions to 3 workflow files (stale, build_external_container_images, codeql). Full 12-workflow audit in the PR description.