fix: tighten workflow permissions and fix uv tool invocations (#459)

* fix: tighten workflow permissions and fix uv tool invocations

## What

Move elevated permissions from workflow level to job level across four
GitHub Actions workflows (major-version-updater, mark-ready-when-ready,
scorecard, stale). Set all workflow-level permissions to contents: read.
Fix Makefile to use `python -m` for flake8, mypy, and pytest since they
lack console script entry points in the uv venv. Upgrade PyJWT from
2.11.0 to 2.12.1 to address CVE-2026-32597.

## Why

Workflow-level permissions apply to all jobs, granting broader access
than necessary. Moving write permissions to the specific jobs that need
them follows the principle of least privilege. The Makefile commands
failed because uv doesn't install console scripts for all packages;
invoking via `python -m` ensures the tools are found. PyJWT <= 2.11.0
doesn't validate the RFC 7515 `crit` header parameter, rated HIGH
(CVSS 7.5).

## Notes

- The scorecard workflow previously used `permissions: read-all` which granted read access to all scopes; now explicitly scoped to only what's needed
- The `uv run` to `uv run python -m` change also affects CI since the python-package workflow calls `make lint` and `make test`
- PyJWT is a transitive dependency; verify downstream consumers aren't relying on the old crit-header-ignored behavior

Signed-off-by: jmeridth <jmeridth@gmail.com>

* chore: drop autobuild step of codeql from code review

Signed-off-by: jmeridth <jmeridth@gmail.com>

---------

Signed-off-by: jmeridth <jmeridth@gmail.com>

Author: jmeridth

.github/copilot-instructions.md

@@ -16,10 +16,8 @@ This is a GitHub Action identifies and reports repositories with no activity for
 ## Repository Structure
 
 - `Makefile`: Contains commands for linting, testing, and other tasks
-- `requirements.txt`: Python dependencies for the project
-- `requirements-test.txt`: Python dependencies for testing
+- `pyproject.toml`: Python dependencies and project configuration
 - `README.md`: Project documentation and setup instructions
-- `setup.py`: Python package setup configuration
 - `test_*.py`: Python test files matching the naming convention for test discovery
 
 ## Key Guidelines

.github/workflows/codeql.yml

@@ -59,11 +59,6 @@ jobs:
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.
 
-      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-      # If this step fails, then you should remove it and run the build manually (see below)
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
-
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 

.github/workflows/major-version-updater.yml

@@ -10,11 +10,13 @@ on:
 env:
   TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.ref}}
 permissions:
-  contents: write
+  contents: read
 jobs:
   update_tag:
     name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.ref }} changes
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1

.github/workflows/mark-ready-when-ready.yml

@@ -5,10 +5,7 @@ on:
     types: [opened, edited, labeled, unlabeled, synchronize]
 
 permissions:
-  checks: read
-  contents: write
-  pull-requests: write
-  statuses: read
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -18,6 +15,11 @@ jobs:
   mark-ready:
     name: Mark as ready after successful checks
     runs-on: ubuntu-latest
+    permissions:
+      checks: read
+      contents: write
+      pull-requests: write
+      statuses: read
     if: |
       contains(github.event.pull_request.labels.*.name, 'Mark Ready When Ready') &&
       github.event.pull_request.draft == true

.github/workflows/scorecard.yml

@@ -13,13 +13,15 @@ on:
   push:
     branches: [main]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
       id-token: write
 

.github/workflows/stale.yaml

@@ -4,12 +4,14 @@ on:
     - cron: "30 1 * * *"
 
 permissions:
-  issues: write
-  pull-requests: read
+  contents: read
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: read
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1

Makefile

@@ -1,6 +1,6 @@
 .PHONY: test
 test:
-	uv run pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
+	uv run python -m pytest -v --cov=. --cov-config=.coveragerc --cov-fail-under=80 --cov-report term-missing
 
 .PHONY: clean
 clean:
@@ -9,10 +9,10 @@ clean:
 .PHONY: lint
 lint:
 	# stop the build if there are Python syntax errors or undefined names
-	uv run flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
+	uv run python -m flake8 . --config=.github/linters/.flake8 --count --select=E9,F63,F7,F82 --show-source
 	# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-	uv run flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
+	uv run python -m flake8 . --config=.github/linters/.flake8 --count --exit-zero --max-complexity=15 --max-line-length=150
 	uv run isort --settings-file=.github/linters/.isort.cfg .
 	uv run pylint --rcfile=.github/linters/.python-lint --fail-under=9.0 *.py
-	uv run mypy --config-file=.github/linters/.mypy.ini *.py
+	uv run python -m mypy --config-file=.github/linters/.mypy.ini *.py
 	uv run black .