ci(scorecard): add job-level permissions for reusable workflow

[hyperpolymath]

Summary

Adds the job-level permissions: { security-events: write, id-token: write } block to the analysis job in .github/workflows/scorecard.yml, fixing the silent startup_failure on every Scorecard run.

Why

scorecard-reusable.yml's docstring states:

Caller MUST grant security-events: write and id-token: write on the calling job. The reusable re-asserts these on its own analysis job, but called-workflow permissions are CAPPED by the caller's permissions block.

Without this, ossf/scorecard-action cannot upload SARIF, the workflow fails at startup, and there are no logs.

Sweep

Part of estate-wide sweep tracked at hyperpolymath/standards#282. Pattern shipped in julia-professional-registry#19 (2026-05-27) and absolute-zero#68 (2026-05-30).

Test plan

• Next Scorecard run completes successfully (cron '23 4 * * 1')
• SARIF appears in Security tab
• No startup_failure runs after merge

Refs hyperpolymath/standards#282

🤖 Generated with Claude Code

[hyperpolymath]

Closing as superseded.

This PR was filed before standards#304 (scorecard-enforcer split) and session-sentinel#23 (.as → .affine rename) landed on main. The accumulated 9-commit branch now conflicts on 22 files including:

• .github/workflows/scorecard-enforcer.yml — already shipped via standards#304 source-fix on main
• src/core/{config,diagnostics,healer,health,monitor,providers,scanner}.affine — renames already landed via chore: rename .as → .affine across src/core/ #23
• License migration from PMPL-1.0-or-later → MPL-2.0 — already on main
• a2ml manifest add/add conflicts — main has independent versions

The most-recent fresh content (commit a814292 adding job-level perms to the scorecard reusable caller per [[feedback_scorecard_wrapper_caller_permissions]]) should be covered by the standards source-fix template. If a delta remains, file a fresh PR with just that single commit.

Refs: standards#304, session-sentinel#23