ci: declare least-privilege permissions on the remaining 11 workflows

.github/workflows/auto-update.yml

@@ -6,6 +6,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
   Auto:
     name: Auto-update

.github/workflows/generate-kubelet-flags.yaml

@@ -2,6 +2,11 @@ name: Generate valid kubelet flags per supported k8s version
 on:
   workflow_dispatch: {}
 
+# The push + PR creation steps below explicitly use secrets.PERSONAL_ACCESS_TOKEN,
+# so the default GITHUB_TOKEN does not need write scopes here.
+permissions:
+  contents: read
+
 jobs:
   generate-kubelet-flags:
     runs-on: ubuntu-24.04

.github/workflows/go-test.yml

@@ -1,6 +1,9 @@
 name: Go Unit Tests
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   go-test:
     runs-on: ubuntu-latest

.github/workflows/no-sudo-check.yml

@@ -1,6 +1,9 @@
 name: Check for sudo in CSE scripts
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   no-sudo:
     runs-on: ubuntu-latest

.github/workflows/shellcheck.yml

@@ -1,6 +1,9 @@
 name: Lint Shell/Bash Scripts
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest

.github/workflows/shellspec.yaml

@@ -1,6 +1,9 @@
 name: Shell/Bash Script Unit Tests
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   shellspec:
     runs-on: ubuntu-latest

.github/workflows/validate-components.yml

@@ -1,6 +1,9 @@
 name: Validate Components
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   cue:
     runs-on: ubuntu-latest

.github/workflows/validate-image-version.yml

@@ -1,6 +1,9 @@
 name: validate-image-version
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   validate-image-version:
     runs-on: ubuntu-24.04

.github/workflows/validate-pull-request-source.yml

@@ -1,6 +1,9 @@
 name: validate-pull-request-source
 on: pull_request
 
+# This workflow only reads pull_request event metadata; no checkout, no API calls.
+permissions: {}
+
 jobs:
   validate-pull-request-source:
     runs-on: ubuntu-24.04

.github/workflows/validate-windows-binary-signature.yaml

@@ -10,6 +10,9 @@ on:
       - 'vhdbuilder/packer/windows/windows_settings.json'
       - 'vhdbuilder/packer/windows/components_json_helpers.ps1'
 
+permissions:
+  contents: read
+
 jobs:
   check-files-for-ws2022:
     name: Check for Windows 2022

.github/workflows/validate-windows-ut.yml

@@ -5,6 +5,9 @@ on: pull_request
 # stored in WSL. So you'll need to change directory to whereever you have the repo checked out in WSL. Something like this:
 # cd \\wsl$\Ubuntu\home\tim\git\AgentBaker
 
+permissions:
+  contents: read
+
 jobs:
   pester-test:
     name: Pester test