Audit GitHub Actions workflow permissions and persist-credentials usage

[strickvl]

Context

Our zizmor security linter config (.github/zizmor.yml) currently has two checks disabled with TODOs:

1. excessive-permissions (disabled) — Many workflows use default permissions rather than explicit minimal permissions. GitHub's default token has broad read/write access, which violates the principle of least privilege.

2. artipacked (disabled) — Most actions/checkout steps use the default persist-credentials: true, which leaves the GITHUB_TOKEN available to all subsequent steps. Workflows that don't need to push commits should set persist-credentials: false.

Proposed work

Audit all 44 workflow files in .github/workflows/ and:

Permissions

• Add explicit permissions: blocks to every workflow
• Use the minimum required permissions for each workflow's actual needs
• Reference: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

persist-credentials

• Add persist-credentials: false to every actions/checkout step that does NOT need to push commits
• Document which workflows legitimately need persist-credentials: true and why

After completion

• Re-enable excessive-permissions and artipacked checks in .github/zizmor.yml
• Add any necessary exceptions with documented reasons

Workflows that likely need push access

• release.yml (tagging, publishing)
• update-templates-to-examples.yml (pushing template sync commits)
• snack-it.yml (creating issues)
• publish_*.yml workflows

Reference

• zizmor docs: https://woodruffw.github.io/zizmor/
• Current config: .github/zizmor.yml (lines 21-33)