chore(ci): declare workflow-level permissions on publish.yml

[igerber]

Summary

• Add permissions: contents: read at the workflow level of publish.yml so all jobs have explicit GITHUB_TOKEN scoping.
• The four build jobs (build-linux, build-macos-arm, build-windows, build-sdist) inherit contents: read, which is what they need for actions/checkout.
• The publish job's per-job permissions: id-token: write block is unchanged. Per-job permissions replace (not merge with) workflow-level, so it correctly retains only id-token: write for OIDC trusted publishing — it doesn't checkout, so no contents scope needed.

Clears the 4 CodeQL actions/missing-workflow-permissions warnings on publish.yml lines 10/64/94/124 without changing runtime token scope (repo default was already read).

Methodology references (required if estimator / math changes)

• N/A - CI configuration only, no estimator or math changes.

Validation

• yaml.safe_load parses cleanly.
• Confirmed via parsed structure: workflow-level {contents: read} present; publish-job override {id-token: write} retained; 4 build jobs have no per-job override (so they inherit).

Security / privacy

• No secrets/PII in this PR. Strictly tightens declared least-privilege posture; runtime behavior unchanged.

[github-actions]

Overall Assessment

✅ Looks good

No unmitigated P0/P1 findings in the diff.

Executive Summary

• The diff is limited to GitHub Actions configuration in publish.yml; no estimator, inference, weighting, variance/SE, or default-behavior code is touched.
• I checked docs/methodology/REGISTRY.md; no methodology contract is in scope for this PR, so there is no paper/registry mismatch to flag.
• The new workflow-level permissions: contents: read in publish.yml is appropriate for the four build jobs, which use actions/checkout@v6 at lines 28, 73, 103, and 130.
• The publish job keeps its explicit permissions: id-token: write override in publish.yml, and its current steps do not require contents scope.
• I also validated the YAML structure locally: workflow permissions parse as {'contents': 'read'}, build jobs have no per-job override, and publish retains {'id-token': 'write'}.

Methodology

• No findings. docs/methodology/REGISTRY.md is not implicated because this PR does not touch estimator logic, identification assumptions, weighting, variance/SE, or defaults.

Code Quality

• No findings. The change is minimal, localized, and internally consistent in publish.yml.

Performance

• No findings. Token scoping should not affect library runtime or materially change CI execution behavior.

Maintainability

• Severity: P3-informational. Impact: The job-level override in publish.yml replaces, rather than merges with, the workflow-level permission block. That is correct for the current publish steps, but a future edit that adds actions/checkout or repository-content reads to publish would need an explicit contents: read grant. Concrete fix: No change needed for this PR. If publish later gains contents-dependent steps, add contents: read alongside id-token: write in the job-level permissions block.

Tech Debt

• No findings. TODO.md does not need an update for this CI-only change, and no new deferred correctness/workflow debt is introduced.

Security

• No findings. This is an explicit least-privilege declaration, not a permission expansion. The build jobs inherit read-only contents access, and the publish job remains limited to OIDC token issuance for trusted publishing.

Documentation/Tests

• No findings. No estimator docs/tests are affected. YAML parsing and permission-shape validation passed locally.