Housekeeping: checksums, workflow permissions, README.md

 - Add a test to prevent us from writing workflows with no
   explicit permissions.
 - Add explicit permissions to all workflows.
 - Move `checksums/` to `checksum/sources/` in preparation
   for true artifact checksums and reproducibility.
 - README.md updates.

Author: alganet

.github/workflows/docker-all.yml

@@ -3,6 +3,9 @@
 
 name: Push alganet/shell-versions:all
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/docker-latest.yml

@@ -3,6 +3,9 @@
 
 name: Push alganet/shell-versions:latest
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:

.github/workflows/docker-test.yml

@@ -2,6 +2,7 @@
 # SPDX-License-Identifier: ISC
 
 name: Push alganet/shell-versions:test
+
 permissions:
   contents: read
 

.github/workflows/test-verification.yml

@@ -1,5 +1,8 @@
 name: Checksum Verification
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
@@ -8,6 +11,25 @@ on:
   workflow_dispatch:
 
 jobs:
+  verify-workflows:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check workflow permissions
+        run: |
+          set -e
+          missing=0
+          for f in .github/workflows/*.yml; do
+            if ! grep -q '^[[:space:]]*permissions:' "$f"; then
+              echo "Workflow $f missing 'permissions' key"
+              missing=1
+            fi
+          done
+          if [ "$missing" -eq 1 ]; then
+            echo "One or more workflows are missing the 'permissions' stanza."
+            exit 1
+          fi
+
   verify-checksums:
     runs-on: ubuntu-24.04
     timeout-minutes: 15
@@ -25,9 +47,9 @@ jobs:
         run: |
           set -ex
           # backup checksum file
-          cp checksums/dash/0.5.13.tar.gz.sha256sums checksums/dash/0.5.13.tar.gz.sha256sums.bak
+          cp checksums/sources/dash/0.5.13.tar.gz.sha256sums checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak
           # corrupt checksum: replace hash with ones; keep filename
-          printf '1111111111111111111111111111111111111111111111111111111111111111  %s\n' "0.5.13.tar.gz" > checksums/dash/0.5.13.tar.gz.sha256sums
+          printf '1111111111111111111111111111111111111111111111111111111111111111  %s\n' "0.5.13.tar.gz" > checksums/sources/dash/0.5.13.tar.gz.sha256sums
           # remove any existing artifact to force re-download
           rm -f build/dash/0.5.13.tar.gz
           set +e
@@ -55,6 +77,6 @@ jobs:
       - name: 'Restore checksum and verify success'
         run: |
           set -ex
-          mv checksums/dash/0.5.13.tar.gz.sha256sums.bak checksums/dash/0.5.13.tar.gz.sha256sums
+          mv checksums/sources/dash/0.5.13.tar.gz.sha256sums.bak checksums/sources/dash/0.5.13.tar.gz.sha256sums
           rm -f build/dash/0.5.13.tar.gz
           sh shvr.sh download dash_0.5.13