ci: ensure all permissions are scoped to job-level

Move workflow-level permissions to permissions: {} in scorecard and
test workflows, adding explicit job-level permissions for each job.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: flavorjones

.github/workflows/scorecard.yml

@@ -7,12 +7,13 @@ on:
     - cron: '30 1 * * 6'
   workflow_dispatch:
 
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
     runs-on: ubuntu-latest
     permissions:
+      actions: read
       security-events: write
       id-token: write
       contents: read

.github/workflows/test.yml

@@ -7,12 +7,13 @@ on:
     branches: [master]
   workflow_call:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -40,6 +41,8 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -63,6 +66,8 @@ jobs:
 
   security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -81,6 +86,8 @@ jobs:
   lint-actions:
     name: GitHub Actions audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -96,6 +103,8 @@ jobs:
 
   race-check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: