Add explicit permissions blocks, remove excessive-permissions ignores

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/code-scan-cron.yml

@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * SUN'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main

.github/workflows/release.yml

@@ -6,6 +6,9 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: smallstep/autocert/.github/workflows/ci.yml@master
@@ -14,6 +17,8 @@ jobs:
   create_release:
     name: Create Release
     needs: ci
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     env:
       INIT_DOCKER_IMAGE: smallstep/autocert-init

.github/zizmor.yml

@@ -33,15 +33,6 @@ rules:
       - release.yml:131
       - triage.yml:19
       - zizmor.yml:15
-  # These workflows either lack a top-level `permissions:` block
-  # (using GitHub defaults) or delegate to reusable workflows that
-  # declare their own minimal permissions internally.
-  excessive-permissions:
-    ignore:
-      - code-scan-cron.yml:6
-      - release.yml:1
-      - release.yml:10
-      - release.yml:14
   # The triage workflow uses `pull_request_target` to label PRs
   # from forks. This is safe because the called reusable workflow
   # does not checkout or execute code from the PR.