Add minimum token permissions for all GitHub workflow files

[Copilot]

Analysis Results ✅

After conducting a comprehensive analysis of all GitHub workflow files in .github/workflows/, I found that this repository already fully complies with OpenSSF Scorecard Token-Permissions requirements.

Current Permissions Status

All 13 workflow files have proper minimum token permissions implemented:

Top-Level Permissions ✅

• benchmark.yml: contents: write, deployments: write (appropriate for GitHub Pages deployment)
• ossf-scorecard.yml: permissions: read-all (preserved as required by OpenSSF guidelines)
• All other 11 files: contents: read (proper baseline permission following principle of least privilege)

Job-Level Permissions ✅

• codeql-analysis.yml: Proper actions: read, contents: read, security-events: write for CodeQL scanning
• stale.yml: Appropriate issues: write, pull-requests: write for stale issue management
• project_management_*.yml: Correct issues: write for automated issue labeling
• ossf-scorecard.yml: Proper security-events: write, id-token: write for OSSF scorecard reporting

Security Improvements Already in Place

✅ Principle of Least Privilege: All workflows use minimal required permissions
✅ Read-All Preservation: Existing permissions: read-all in scorecard workflow preserved
✅ Job-Level Scoping: Elevated permissions applied only where necessary
✅ Consistent Formatting: All permission blocks follow proper YAML structure

OpenSSF Scorecard Compliance

This repository demonstrates excellent security posture with:

• Zero workflows with default broad permissions
• Proper permission scoping for all workflow operations
• Appropriate handling of security scanning and deployment workflows
• No unnecessary elevated permissions

No changes were required as the repository already implements all OpenSSF Scorecard Token-Permissions recommendations.

Fixes #9.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.