Fix OpenSSF Scorecard token-permissions check (currently 0/10)

[migmartri]

Problem

Our OpenSSF Scorecard token-permissions check is currently 0/10.

Scorecard report: https://securityscorecards.dev/viewer/?uri=github.com/chainloop-dev/chainloop

The scorecard expects workflows to follow the principle of least privilege: set restrictive permissions at the workflow level and only grant broader permissions at the job level where needed.

Reference example from the scorecard project itself: https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml

Warnings from scorecard

Missing top-level permissions declaration

1. stale.yml:1 — No top-level permissions. Add permissions: {} at the workflow level (job-level issues: write + pull-requests: write already correct).
2. scm_configuration_check.yaml:1 — No top-level permissions. Add permissions: read-all at the workflow level (job-level contents: read + id-token: write already correct).

Top-level write permissions that should move to job level

3. build_external_container_images.yaml:8 — Has packages: write at the workflow level. Move to job level, set top-level to permissions: read-all.

Job-level write permissions (may be legitimate but flagged)

4. github_release.yaml:23-24 — Job-level packages: write and contents: write. These are likely necessary for release workflows but are still flagged by the scorecard.
5. package_chart.yaml:32 — Job-level packages: write. Likely necessary for chart publishing but still flagged.

Expected outcome

All workflows follow the two-tier permission pattern:

• Workflow level: permissions: read-all (or permissions: {} for workflows that don't need read)
• Job level: only the specific write permissions each job needs

Fixing items 1-3 should improve the score. Items 4-5 may be acceptable warnings for release workflows.