Potential fix for code scanning alert no. 18: Workflow does not contain permissions

[aegilops]

Potential fix for https://github.com/advanced-security/codeql-sarif-security-standard-annotator/security/code-scanning/18

To correct the issue, you should add a permissions key either at the root workflow level (above jobs:) or directly in the relevant job (check-dist). Adding at the root is preferred for single-job workflows and guarantees all jobs are covered. Since this workflow only reads contents and uploads artifacts, the minimum permissions required are likely contents: read. If artifact upload requires additional permissions, those can be added, but for the current use case, contents: read suffices.

Edit .github/workflows/check-dist.yml to insert the following block after the workflow name: and before on::

permissions:
  contents: read

No other code changes are required, as no steps shown in the workflow require write access to contents or other tokens.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This PR addresses a CodeQL security alert by adding explicit permissions to the check-dist.yml GitHub Actions workflow. The change follows the principle of least privilege by setting contents: read at the root workflow level, which is sufficient for all operations performed: checking out code, running build steps, comparing distributions, and uploading artifacts.

Key Changes

• Added permissions block with contents: read to .github/workflows/check-dist.yml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.