security: move workflow permissions to job level

Author: BKDDFS

.github/workflows/release.yml

@@ -4,15 +4,12 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
-  id-token: write      # for SBOM attestation
-  attestations: write  # for SBOM attestation
-
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}

.github/workflows/run_tests.yml

@@ -6,10 +6,6 @@ on:
   pull_request:
     branches: [main, dev]
 
-permissions:
-  contents: read
-  security-events: write
-
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
@@ -19,6 +15,8 @@ jobs:
         with:
           python-version: '3.13'
       - uses: pre-commit/action@v3.0.1
+        env:
+          SKIP: pytest
 
   test:
     needs: pre-commit
@@ -38,6 +36,9 @@ jobs:
   test-docker:
     needs: pre-commit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
       - uses: astral-sh/setup-uv@v5

.github/workflows/scorecard.yml

@@ -7,8 +7,6 @@ on:
     - cron: '0 6 * * 1'  # Weekly on Monday at 6 AM (aligned with CodeQL)
   workflow_dispatch:  # Allow manual triggers
 
-permissions: read-all
-
 jobs:
   analysis:
     name: Scorecard analysis