ci: set minimum amount of permission needed for each workflow

[zimeg]

Summary

This PR sets the minimum amount of permission needed for each workflow without breaking the existing steps setup.

Reviewers

Testing is happening within this PR and notes left below! 👾

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.91%. Comparing base (c224bc4) to head (1aad873).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #54   +/-   ##
=======================================
  Coverage   62.91%   62.91%           
=======================================
  Files         210      210           
  Lines       22156    22156           
=======================================
+ Hits        13939    13940    +1     
- Misses       7131     7132    +1     
+ Partials     1086     1084    -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[zimeg]

📝 A few notes while this is in draft, but I hope to test one more thing before considering it reviewtime!

[zimeg]

📣 This is enough to cause the LICENSE checks to fail when needed - 6591d1f causes:

https://github.com/slackapi/slack-cli/actions/runs/14578766377/job/40890636282?pr=54

[zimeg]

📣 Permissions are handled within CircleCI for this workflow:

https://github.com/slackapi/slack-cli/runs/40890474475

[zimeg]

📣 The application token is included when needed, and it remains possible to start the job. We might have to wait for an actual update to confirm this though:

https://github.com/slackapi/slack-cli/actions/runs/14578846863/job/40890875279

[zimeg]

📝 More notes on these permissions are included in the MAINTAINERS_GUIDE.md!

https://github.com/slackapi/slack-cli/blob/main/.github/MAINTAINERS_GUIDE.md#bumping-the-golang-version

[zimeg]

📣 "write" contents are required to delete a release:

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

[zimeg]

📣 Checking out the repo is all that's required with the default token!

An application token helps with other permissions. Testing after the changes of #52-

[zimeg]

📣 AFAICT "contents" is not required for public repos but seems to be a good practice for making this permission clear.

📚 The "checks" permission is required for the health score: https://github.com/slackapi/slack-health-score

[mwbrooks]

✅ You're becoming the resident GitHub Action expert @zimeg 😮 🤯 I imagine it took quite a bit of digging to confirm the correct permissions for each of these workflows!

[zimeg]

@mwbrooks Thanks so much for reviewing once more 🙏

I'm not wanting to admit that some of these permissions have become familiar, but I am glad we can keep track of the actual permissions needed for each job! 🔐 ✨