Clean up workflow files for Zizmor

[mandreko-bitwarden]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/VULN-285

📔 Objective

Perform cleanup of existing workflows to be in compliance with Zizmor and bwwl.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[claude]

Claude finished @mandreko-bitwarden's task —— View job

---

Code Review Progress

• Gather context and read changed files
• Conduct comprehensive code review
• Post review feedback

---

Review Summary

The changes improve workflow security by scoping id-token: write permissions to specific jobs and fix indentation for consistency.

Findings

None. The PR correctly implements principle of least privilege for GitHub Actions permissions.

Good Practices

• Scoped id-token: write to only jobs requiring OIDC authentication
• Fixed YAML indentation for consistency
• Left version job with only inherited contents: read permission

[github-actions]

Checkmarx One – Scan Summary & Details – 0f0d853a-52a1-4f08-8599-c0bd4a3b43fe

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.77%. Comparing base (c3ba556) to head (c0317b6).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2121      +/-   ##
==========================================
- Coverage   85.22%   83.77%   -1.46%     
==========================================
  Files        1708     1971     +263     
  Lines      145420   160924   +15504     
==========================================
+ Hits       123940   134814   +10874     
- Misses      21480    26110    +4630     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.