Add explicit permissions to all GitHub workflows following security best practices

[Copilot]

Overview

This PR updates all 18 GitHub workflows in the repository to explicitly set required permissions at the workflow or job level, following the principle of least privilege as recommended by GitHub's security best practices.

Changes Made

Reusable Workflows (3 files)

Added permissions: contents: read to shared workflows that build, test, and package code:

• createnuget-withbuildnumber.yml
• publishnuget-azuredevops.yml
• publishnuget-nugetserver.yml

Library Workflows (11 files)

Added permissions: contents: read to all library build workflows for both preview and stable versions:

• Analyzers (preview & stable)
• Backend models (preview & stable)
• Client library (preview & stable)
• Cosmos data library (preview & stable)
• SQL Server data library (preview & stable)
• PostgreSQL data library

Azure Deployment Workflows

Added job-level permissions to codebreaker-azure.yml:

• Job set-staging-environmentvariables now explicitly declares id-token: write and contents: read for Azure CLI authentication

Utility Workflows

Standardized copilot-setup-steps.yml by moving permissions from job level to workflow level for consistency.

Permissions Explained

contents: read

Required for workflows that:

• Check out repository code
• Build and test code
• Upload/download workflow artifacts
• Create NuGet packages

id-token: write + contents: read

Required for workflows that:

• Authenticate with Azure using OIDC (federated credentials)
• Deploy to Azure Container Apps

Security Benefits

• ✅ Explicit Configuration: All workflows now explicitly declare permissions instead of relying on defaults
• ✅ Least Privilege: Each workflow has only the minimum permissions needed for its operations
• ✅ No Write Access: No workflows have write access to repository contents
• ✅ Improved Auditability: Clear documentation of what each workflow can access
• ✅ Reduced Attack Surface: Compromised workflows have limited capabilities

Validation

• All 18 workflow files pass YAML syntax validation
• No breaking changes expected - all permissions added were already granted implicitly through GitHub's default permissions
• Workflows will continue to function as expected for build, test, and deployment operations

Related Issues

Resolves #[issue_number] - Update GitHub workflows to set required permissions

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update GitHub workflows to set required permissions</issue_title>
<issue_description>All GitHub workflows should be reviewed and updated to explicitly set only the permissions required for each job or workflow. This will help improve security and follow GitHub best practices.

Tasks:

• Audit all workflow files in the repository (.github/workflows).
• Set the permissions key at the workflow or job level, specifying only the permissions needed (e.g., contents: read, issues: write, etc.).
• Remove any unnecessary or overly broad permissions.
• Test workflows to ensure they continue to function as expected.

Refer to GitHub documentation on workflow permissions for guidance.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #336

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.