Fix workflow permissions and cleanup

.github/workflows/check-dist.yml

@@ -11,6 +11,9 @@ on:
       - '**.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   call-check-dist:
     name: Check dist/

.github/workflows/codeql.yml

@@ -6,15 +6,14 @@ on:
   schedule:
     - cron: '0 19 * * 0'
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
-
-    permissions:
-      # required for all workflows
-      security-events: write
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v5

.github/workflows/issue-opened-workflow.yml

@@ -1,7 +1,12 @@
 name: Assign issue
+
 on:
   issues:
     types: [opened]
+
+permissions:
+  issues: write
+
 jobs:
   run-action:
     runs-on: ubuntu-latest

.github/workflows/licensed.yml

@@ -9,6 +9,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate-cached-dependency-records:
     runs-on: ubuntu-latest

.github/workflows/pr-opened-workflow.yml

@@ -1,7 +1,12 @@
 name: Add Reviewer PR
+
 on:
   pull_request_target:
     types: [opened]
+
+permissions:
+  pull-requests: write
+
 jobs:
   run-action:
     runs-on: ubuntu-latest

.github/workflows/publish-immutable-actions.yml

@@ -4,14 +4,14 @@ on:
   release:
     types: [released]
 
-jobs:
-  publish:
-    runs-on: ubuntu-latest
 permissions:
   contents: read
   id-token: write
   packages: write
 
+jobs:
+  publish:
+    runs-on: ubuntu-latest
     steps:
       - name: Checking out
         uses: actions/checkout@v5