Address zizmor workflow warnings

Author: ncoghlan

.github/workflows/cla.yml

@@ -1,15 +1,19 @@
 name: "CLA Assistant"
 
+# NOTE: This workflow runs against PR *target* branches, not against the source branches.
+#       This ensures modified code cannot be executed with the workflow's permissions.
+#       It's still easier to misuse than most potential triggers, hence the zizmor warning.
+
 on:
   issue_comment:
     types: [created]
-  pull_request_target:
+  pull_request_target:  # zizmor: ignore[dangerous-triggers]
     types: [opened, closed, synchronize, labeled]  # Added "labeled" event to check for label changes
   workflow_dispatch:  # Allow manual triggering of the workflow
 
 permissions:
   actions: write
-  contents: write
+  contents: read  # Signatures are stored in a dedicated repository
   pull-requests: write
   statuses: write
   checks: write

.github/workflows/publish.yml

@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+# Require explicit job permissions
+permissions: {}
 
 jobs:
   pypi-publish:

.github/workflows/scan-workflows.yml

@@ -11,6 +11,9 @@ on:
       branches:
         - main
 
+# Require explicit job permissions
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI

.github/workflows/test.yml

@@ -24,6 +24,9 @@ on:
     branches:
       - main
 
+# Require explicit job permissions
+permissions: {}
+
 defaults:
   run:
     # Use the Git for Windows bash shell, rather than supporting Powershell