Fix No Toplevel Permission Defined

Author: Lucas0T

.github/workflows/build.yml

@@ -14,6 +14,7 @@ on:
   schedule:
     - cron: '0 1 * * *'
   merge_group:
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }}
@@ -22,6 +23,9 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      actions: write          # Upload artifacts
+      security-events: write  # Upload CodeQL results
     steps:
       - name: Check out Git repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -79,7 +83,8 @@ jobs:
   image-scan:
     needs: build
     runs-on: ubuntu-24.04
-
+    permissions:
+      security-events: write  # Upload Trivy SARIF results
     steps:
       - name: Download Torch Image
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
@@ -270,8 +275,8 @@ jobs:
       - env-var-check
     runs-on: ubuntu-24.04
     permissions:
-      packages: write
-      id-token: write
+      packages: write  # Push to GitHub Container Registry
+      id-token: write  # For Cosign signing
     if: ${{ ! startsWith(github.head_ref, 'dependabot/')}}
 
     steps: