zizmor audit for scorecard workflow

[funnelfiasco]

🌈 completed scorecard.yml
warning[excessive-permissions]: overly broad workflow or job-level permissions
  --> .github/workflows/scorecard.yml:18:1
   |
18 | permissions: read-all
   | --------------------- uses read-all permissions
   |
   = note: audit confidence → High

1 findings (0 ignored): 0 unknown, 0 informational, 0 low, 1 medium, 0 high

[funnelfiasco]

It's not clear if read-all is truly necessary here or not. I opened ossf/scorecard-action#1461 to ask about it.

[funnelfiasco]

Seems that read-all isn't necessary, but a matter of convenience. We may want to do some testing to see how much we can restrict that.

[robert-cronin]

I've done some investigation at least on my own fork, and it seems reducing the workflow permission scope down to contents only doesn't degrade or affect the workflow at all. I'll paste two workflow runs below for comparison:

1. run with read-all enabled as it is currently: https://github.com/robert-cronin/guac/actions/runs/12076551125
2. run with permissions scoped down to contents: read only: https://github.com/robert-cronin/guac/actions/runs/12076543286

So, I think this means we can solve this zizmor warning by restricting the scope, I'll add a PR!

Edit: I just noticed that id-token: write is also required for Scorecard's weekly scan of public repos.