This PR adds minimum token permissions to GitHub workflow files to improve the repository's OSSF Scorecard rating as requested in the issue.

Changes Made

Updated 2 workflow files to include the missing contents: read permission:

• .github/workflows/ci-java.yml - Added contents: read while preserving existing pull-requests: write permission (needed for Gradle PR comments)
• .github/workflows/close-stale.yaml - Added contents: read while preserving existing issues: write and pull-requests: write permissions (needed for stale bot functionality)

Files Already Compliant

The following 16 workflow files were already correctly configured and required no changes:

• All CI workflows (ci-collector.yml, ci-nodejs.yml, ci-python.yml, ci-shellcheck.yml, ci-terraform.yml) ✅
• Security workflows (codeql.yml, fossa.yml) ✅
• Publishing workflows (layer-publish.yml, publish-layer-collector.yml) ✅
• All release workflows with appropriate job-level contents: write permissions ✅
• Workflows using permissions: read-all were left unchanged as instructed (ossf-scorecard.yml, check-links.yaml) ✅

Implementation Notes

• Followed OSSF Scorecard best practices by using permissions: contents: read instead of permissions: read-all
• Preserved all existing elevated permissions that are functionally required
• Made minimal, surgical changes - only added missing permissions without removing or reordering existing configuration
• All job-specific permission blocks remain properly configured where needed

All 18 GitHub workflow files now have minimum token permissions configured according to OSSF Scorecard requirements.

Fixes #1.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.