[Security] changelog.yml / sbom.yml / tmp.yml — No permissions block (not covered by #589)

[Christophe-Rogiers]

Severity: Warning

Files:

• .github/workflows/changelog.yml
• .github/workflows/sbom.yml
• .github/workflows/tmp.yml

Description:
Issue #589 already calls out publish.yml, test.yml, build.yml, dotnet-reflection.yml, and winget.yml as lacking a permissions: block. Three additional workflows have the same gap and are not listed in that ticket:

• changelog.yml — triggered by workflow_run (completion of bump-version) and workflow_dispatch; writes the changelog and so needs contents: write — but nothing else.
• sbom.yml — workflow_dispatch only; generates an SBOM artifact; needs only contents: read.
• tmp.yml — workflow_dispatch only; should be read-only.

Without an explicit block, the GITHUB_TOKEN receives the repository default scope (typically read/write on contents). changelog.yml is especially worth tightening because it runs across a workflow_run boundary — a classic place for permission escalation mistakes.

Suggested fix:
Same remediation as #589. Add a workflow-level block and grant per-job elevation only where actually needed:

# changelog.yml (writes the changelog)
permissions:
  contents: read

jobs:
  changelog:
    permissions:
      contents: write   # only the job that commits back

# sbom.yml, tmp.yml
permissions:
  contents: read

[aelassas]

All fixed.