Scorecard workflow's `permissions: read-all` forces callers to grant unnecessary permissions

[malav2110]

The scorecard reusable workflow has permissions: read-all at the top level (line 20), which forces any calling workflow to grant all read permissions, even though the actual job only needs 4 specific permissions.

Impact:
When calling this workflow from nodejs/nodejs.org, GitHub enforces that we must grant at minimum what the reusable workflow declares. This resulted in:

Error calling workflow 'nodejs/web-team/.github/workflows/scorecard.yml@2c2897a93eb99b4cdca270729100bc0887c758d9'. 
The workflow is requesting 'artifact-metadata: read, attestations: read, checks: read, deployments: read, 
discussions: read, issues: read, models: read, packages: read, pages: read, pull-requests: read, 
repository-projects: read, statuses: read', but is only allowed...

Proposed Solution:

Remove the top-level permissions: read-all and rely only on the job-level permissions - calling workflows to only grant the 4 permissions actually needed by the scorecard action.