Potential fix for code scanning alert no. 2: Workflow does not contain permissions

[NeckBeardPrince]

Potential fix for https://github.com/NeckBeardPrince/howtfdoi/security/code-scanning/2

In general, the fix is to define an explicit permissions: block that grants the minimal required GitHub token permissions, either at the workflow root (applies to all jobs that don’t override it) or per-job. This documents the workflow’s needs and prevents accidental privilege escalation if repository defaults change.

For this workflow, none of the active jobs (build and cross-compile) perform write operations against the repository, issues, or pull requests; they only need to read the contents to build. The actions used (actions/checkout, actions/setup-go, actions/upload-artifact) all function with contents: read and do not require additional scopes. Therefore, the best fix is to add a root-level permissions: block directly under the name: CI line, granting contents: read only. This automatically covers the cross-compile job (and the build job and any uncommented future jobs) without changing their functionality.

Concretely:

• Edit .github/workflows/ci.yml.

• After line 1 (name: CI), insert:

  permissions:
    contents: read

• Leave the rest of the workflow unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This pull request adds explicit permissions to the CI workflow to address a security code scanning alert. The change grants minimal required permissions (contents: read) to prevent accidental privilege escalation if repository default permissions change in the future.

Changes:

• Added a permissions: block to .github/workflows/ci.yml granting contents: read at the workflow level