Exclude metadata from dangerous permissions validation

The metadata permission is a built-in read-only permission and should not
be considered a dangerous permission. Updated findWritePermissions to skip
metadata (similar to how it skips id-token).

Fixes test failure in TestFindWritePermissions/write-all_shorthand.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

pkg/workflow/dangerous_permissions_validation.go

@@ -56,6 +56,7 @@ func validateDangerousPermissions(workflowData *WorkflowData) error {
 
 // findWritePermissions returns a list of permission scopes that have write access
 // Excludes id-token since it's safe (used for OIDC authentication) and doesn't modify repository content
+// Excludes metadata since it's a built-in read-only permission
 func findWritePermissions(permissions *Permissions) []PermissionScope {
 	if permissions == nil {
 		return nil
@@ -70,6 +71,11 @@ func findWritePermissions(permissions *Permissions) []PermissionScope {
 			continue
 		}
 
+		// Skip metadata as it's a built-in read-only permission
+		if scope == PermissionMetadata {
+			continue
+		}
+
 		level, exists := permissions.Get(scope)
 		if exists && level == PermissionWrite {
 			writePerms = append(writePerms, scope)