[Issue]: Residual OpenSSF Scorecard Token-Permissions fixes from #182

[WilliamBerryiii]

Issue Description

Issue #182 was closed but left two low-priority items unaddressed. These were identified by the OpenSSF Scorecard Token-Permissions scanner:

Items Requiring Attention

1. pester-tests.yml - Add top-level permissions: block

   • Line 1 warning: "no topLevel permission defined"
   • Risk: Inherits default token permissions instead of explicit restrictive permissions
   • Fix: Add permissions: contents: read before jobs: block

2. security-scan.yml - Remove redundant top-level permission

   • Line 9 warning: security-events: write duplicates job-level declaration at line 16
   • Risk: None (cosmetic), but violates principle of least-privilege clarity
   • Fix: Remove security-events: write from top-level permissions block

Non-Issues (Scanner False Positives)

The following 6 warnings are correctly configured and require no changes:

File	Line	Reason
main.yml	44	Job-level permission for dependency-pinning SARIF upload
pr-validation.yml	101	Job-level permission for dependency-pinning SARIF upload
pr-validation.yml	135	Job-level permission for CodeQL SARIF upload
weekly-security-maintenance.yml	24	Job-level permission for validate-pinning SARIF upload
weekly-security-maintenance.yml	45	Job-level permission for CodeQL SARIF upload

All SARIF-uploading jobs require security-events: write at job level per GitHub documentation.

Additional Context

Scanner output analyzed from OpenSSF Scorecard Token-Permissions check.

References

• Predecessor: chore(build): Clean up GitHub Actions workflow permissions for OpenSSF Scorecard compliance #182 (closed)
• Related: Implement OpenSSF Scorecard workflow and badge #269 (OpenSSF Scorecard implementation)