chore(OSSF): update token permissions to improve ossf scorecard

.github/workflows/ci.yml

@@ -10,7 +10,10 @@ on:
     branches: [ main ]
 
 permissions:
+  contents: read
   pull-requests: write
+  actions: read
+  statuses: write
 
 jobs:
   build:
@@ -83,5 +86,3 @@ jobs:
         wait-on: "http://localhost:3000"
         wait-on-timeout: 120
         run: npm run cypress:run
-
-

.github/workflows/codeql.yml

@@ -20,7 +20,10 @@ on:
     - cron: '25 10 * * 1'
 
 permissions:
+  security-events: write
   contents: read
+  actions: read
+  statuses: write
 
 jobs:
   analyze:

.github/workflows/dependency-review.yml

@@ -8,6 +8,10 @@ permissions:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2

.github/workflows/lint.yml

@@ -2,11 +2,13 @@ name: Code Cleanliness
 
 on: [pull_request]
 
-env: # environment variables (available in any part of the action)
-  NODE_VERSION: 18
-
 permissions:
   contents: read
+  pull-requests: none
+  actions: read
+
+env: # environment variables (available in any part of the action)
+  NODE_VERSION: 18
 
 jobs:
   linting:
@@ -34,4 +36,4 @@ jobs:
       - name: Code Linting
         run: |
           npm run lint
-          npm run lint --workspaces --if-present
+          npm run lint --workspaces --if-present

.github/workflows/npm.yml

@@ -2,8 +2,10 @@ name: Publish to NPM
 on:
   release:
     types: [published]
+
 permissions:
   contents: read
+  actions: read
 
 jobs:
   build:

.github/workflows/scorecard.yml

@@ -14,8 +14,10 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
 
 jobs:
   analysis: