sec(GHA): Apply security best practices for GitHub Workflows

[helmut-hoffer-von-ankershoffen]

sec(GHA): Don't inherit permissions to reusable workflows but apply principle of least privilege

[claude]

Security Review for GitHub Actions Workflows

This PR implements excellent security improvements for GitHub Actions workflows by applying the principle of least privilege. Here's my detailed review:

✅ Strengths & Security Improvements

1. Explicit Secret Declaration: Excellent move replacing 'secrets: inherit' with explicit secret declarations. This prevents workflows from accessing secrets they don't need, reducing attack surface.

2. Environment Variable Security: Great improvement in handling sensitive data:

   • Changed from direct secret interpolation to using env vars
   • UV_PUBLISH_TOKEN now properly isolated in environment scope
   • This prevents secrets from appearing in shell command history or process lists

3. Action Pinning: Good security practice pinning the Ketryx action to a specific commit hash:

   • Ketryx/ketryx-github-action@40b13ef # v1.4.0
   • Prevents supply chain attacks via tag manipulation

4. Optional Secrets: Marking secrets as 'required: false' allows workflows to run in different contexts (e.g., forks) without failing due to missing secrets.

🔍 Code Quality Assessment

• Consistency: All reusable workflows now follow the same pattern for secret handling
• Documentation: Comment updates ('# No secrets needed') improve clarity
• Maintainability: Explicit secret declarations make dependencies clear

🔒 Security Analysis

Attack Surface Reduction:

• Before: All repository secrets were accessible to all workflows
• After: Each workflow only accesses required secrets

Credential Exposure Risk:

• Significantly reduced by using environment variables instead of direct secret interpolation in commands

📊 Performance Considerations

• No performance impact - these are configuration changes only
• Might slightly improve workflow startup time by not inheriting unused secrets

✅ Test Coverage

The single test change (silent_logging parameter addition) appears to be a minor test cleanup and is appropriate.

🚀 Recommendations

1. Consider Secret Rotation: With improved secret isolation, this might be a good time to rotate any long-lived tokens

2. Audit Secret Usage: Review which secrets are actually needed vs. declared in each workflow

3. Documentation: Consider adding a comment in the main CI workflow explaining the security rationale for explicit secret passing

🎯 Overall Assessment

This PR represents a significant security improvement with no functional drawbacks. The changes follow GitHub Actions security best practices and align well with the repository's high-quality standards evident in the comprehensive CLAUDE.md documentation.

Recommendation: ✅ Approve and merge - this is a well-executed security enhancement that reduces attack surface while maintaining full functionality.