chore(OSSF): update token permissions to improve ossf scorecard

[laukik-target]

Description:

This PR aims to improve the repository's security posture by adhering to the principle of least privilege and enhancing the OSSF Scorecard score. The following changes have been made to reduce excessive permissions in GitHub Actions workflows and ensure a more secure CI/CD pipeline.

A small fix related to bringing up the git proxy locally is also fixed.

Issue: Bump OSSF score above 9.0 ⬆️

Should improve this score:

Changes:

1. Updated token permissions: Scoped permissions at both the top-level and job level for workflows such as:

• ci.yml: Restricted permissions to only contents: read, statuses: write as necessary.
• codeql.yml: Added top-level permissions (contents: read, security-events: write) to ensure CodeQL can upload security events.
• npm.yml: Scoped permissions to packages: write for publishing, with only contents: read for other operations.
• pr-lint.yml: Limited PR-related workflows to pull-requests: write and statuses: write to reduce unnecessary permissions.
• scorecard.yml: Scoped permissions to security-events: write and id-token: write for result publication and scorecard analysis.

2. Enhanced security:

• Applied the principle of least privilege to limit the scope of token access.
• Updated all workflows to ensure they use only the permissions necessary for their tasks, preventing unnecessary access to other GitHub components.

3. Improved OSSF Scorecard rating:

• These changes directly address issues raised by the OSSF Scorecard tool, enhancing the repository’s security rating by ensuring token permissions follow best security practices.

Benefits:

• Reduced risk of unauthorized access due to overly permissive tokens.
• Enhanced overall security posture by minimizing the attack surface in workflows.
• Improved transparency and maintainability by explicitly defining token permissions in each workflow.
• Positive impact on OSSF Scorecard score.

Checklist:
✅Updated workflows with restrictive token permissions.
✅Addressed OSSF Scorecard recommendations for token permissions.

[linux-foundation-easycla]

• ❌ The email address for the commit (974459d) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	974459d
🔍 Latest deploy log	https://app.netlify.com/sites/endearing-brigadeiros-63f9d0/deploys/672e10e4dcd7480008473f81

[laukik-target]

@JamieSlome I am a citi Employee, I Sent an authorization request as a Corporate Contributor for EasyCLA. Can you please approve it?

[JamieSlome]

@laukik-target - great PR ❤️ Can you re-open using commits created with your Citi e-mail address?

[laukik-target]

@laukik-target - great PR ❤️ Can you re-open using commits created with your Citi e-mail address?

I guess, It is good to merge now.

[laukik-target]

@JamieSlome Changes were done. Requesting for re-review & approval.

[laukik-target]

@JamieSlome Can you please re-review and approve the PR

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.12%. Comparing base (1e35b93) to head (974459d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #763   +/-   ##
=======================================
  Coverage   60.12%   60.12%           
=======================================
  Files          47       47           
  Lines        1650     1650           
=======================================
  Hits          992      992           
  Misses        658      658           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[JamieSlome]

@laukik-target - are we able to re-base all of your 10 commits to use your Citi e-mail address instead? All 10 commits should use your public Citi e-mail address instead of the current Gmail address 👍 Let me know if you need help on how to do this.

[laukik-target]

@laukik-target - are we able to re-base all of your 10 commits to use your Citi e-mail address instead? All 10 commits should use your public Citi e-mail address instead of the current Gmail address 👍 Let me know if you need help on how to do this.

@JamieSlome I squashed my commit to single one for clear understanding.
And updated my email to citi email for my single commit but now EasyCLA check has failed.

Please help

[laukik-target]

• ❌ The email address for the commit (974459d) is not linked to the GitHub account, preventing the EasyCLA check. Consult this Help Article and GitHub Help to resolve. (To view the commit's email address, add .patch at the end of this PR page's URL.) For further assistance with EasyCLA, please submit a support request ticket.

@JamieSlome What would be the next steps?