chore: fix test workflow permissions (#122)

## Description

Fix test workflow permissions to only what is needed.

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow)
followed

.github/workflows/ci-docs-shim.yaml

@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     strategy:

.github/workflows/commitlint.yaml

@@ -8,6 +8,10 @@ on:
     branches: [main]
     types: [milestoned, opened, edited, synchronize]
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 jobs:
   validate:
     uses: defenseunicorns/uds-common/.github/workflows/callable-commitlint.yaml@f0164622ffc2007e96a0e1deaa3f5064db04b148 # v1.1.0

.github/workflows/lint.yaml

@@ -3,6 +3,10 @@
 
 name: Lint
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   # This workflow is triggered on pull requests to the main branch.
   pull_request:

.github/workflows/test.yaml

@@ -26,6 +26,12 @@ on:
       - CONTRIBUTING.md
       - SECURITY.md
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 # Abort prior jobs in the same workflow / PR
 concurrency:
   group: test-${{ github.ref }}