Potential fix for code scanning alert no. 7: Workflow does not contain permissions

[N0tHorizon]

Potential fix for https://github.com/N0tHorizon/WindowsTelemetryBlocker/security/code-scanning/7

In general, you fix this issue by explicitly setting a permissions block in the workflow (at the root or per job) to restrict the GITHUB_TOKEN to only what is needed. For a workflow that merely checks the environment and uploads artifacts, no repository write permissions are required; read access to contents is sufficient, and in many cases the token can be fully disabled.

The best fix here, without changing behavior, is to add a root‑level permissions block just under the on: section, applying to all jobs. Because this workflow only reads the code (via actions/checkout) and uploads artifacts (which does not require GITHUB_TOKEN), contents: read is a safe, minimal choice that still allows checkout to function. No other scopes (like pull-requests, issues, etc.) are needed based on the shown steps. Concretely, in .github/workflows/env-matrix.yml, add:

permissions:
  contents: read

between the on: block (line 3–7) and the jobs: block (line 9). No imports or additional methods are required since this is pure YAML configuration.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Contributor Security Check Results

✅ All security checks passed!

This PR has been validated for:

• Code syntax and structure
• Security patterns
• File integrity
• Contribution guidelines

Thank you for your contribution!