chore(ci): harden workflow permissions for security compliance

[dreamorosi]

Summary

Changes

Harden GitHub Actions workflow permissions to satisfy both OSSF Scorecard and SonarCloud security requirements. This addresses 6 open code scanning alerts related to token permissions.

Strategy applied:

• Set permissions: {} at workflow level (disables all permissions by default)
• Declare specific permissions at each job level (only grants what each job needs)

Files updated:

• reusable-run-linting-check-and-unit-tests.yml - added contents: read to 5 jobs
• ossf_scorecard.yml - added contents: read to analysis job
• quality_check.yml - added contents: read to 5 jobs
• publish_layer.yml - added contents: read to build-layer job
• layers_partitions.yml - added id-token: write, contents: read to deploy jobs
• layers_partitions_deploy.yml - added top-level permissions: {}

Issue number: closes #4897

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[leandrodamascena]

The trick now is to set global permissions to an empty dict? Super weird.

[dreamorosi]

The trick now is to set global permissions to an empty dict? Super weird.

I think so (we'll need to merge to see if it works & solves the findings), but this is happening because we have two sets of SAST.

As far as the OpenSSF Scorecard is concerned, having a top-level default read permission is enough to get a 10/10 score, this was the guidance we've been following for a while now. The new finding comes from SonarCloud that wants a per-job least principle configuration.

With this empty top-level config I'm trying to please both - unsure if it'll work, I might have to revert the PR if the finding is not resolved, and in that case we might want to just dismiss them.