Add workflow token permissions

[bcdonadio]

Summary

• add default read-only workflow token permissions to CI
• keep the existing test-job permissions for check and PR reporting

Validation

• git diff --check
• actionlint .github/workflows/ci.yml (if installed locally)

Fixes the five CodeQL actions/missing-workflow-permissions alerts in .github/workflows/ci.yml.

Summary by CodeRabbit

• Chores
  • Updated CI workflow configuration to enhance security settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 6d9c5ea8-40fa-4c40-a0d2-95a492f52a89

📥 Commits

Reviewing files that changed from the base of the PR and between 3a92c7a and 24ede30.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

This PR adds a workflow-level permissions block to the CI workflow, restricting the GitHub Actions GITHUB_TOKEN to read-only access for repository contents. The change hardens the workflow's security posture by enforcing least-privilege token scope at the workflow level.

Changes

Workflow permissions hardening

Layer / File(s)	Summary
Workflow-level permissions .github/workflows/ci.yml	Adds workflow-level permissions block setting contents: read, restricting GITHUB_TOKEN to read-only access for repository contents while preserving job-level permissions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A token's scope now trimmed with care,
Read-only bounds, a locksmith's prayer,
Three lines of trust, secure and tight,
The workflow sleeps more soundly tonight! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add workflow token permissions' clearly and concisely describes the main change—adding a top-level GitHub Actions permissions block to the workflow for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/fix-codeql-workflow-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds explicit default read-only GitHub Actions token permissions to the CI workflow to address CodeQL missing-workflow-permissions alerts while preserving elevated permissions on the test job.

Changes:

• Adds top-level permissions: contents: read to .github/workflows/ci.yml.
• Leaves the existing test job permissions for checks and pull request reporting intact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.