ci: declare workflow-level contents: read on 4 check workflows

[arpitjain099]

Adds workflow-level permissions: contents: read to four check workflows: code-quality, unit-tests, visual-regression-tests, build-health-checkup. None make GitHub API writes.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

---

Note

Low Risk
YAML-only CI permission tightening with no application or secret-handling changes; checkout and existing steps remain sufficient with read access.

Overview
Four CI workflows (build-health-checkup, code-quality, unit-tests, visual-regression-tests) now declare workflow-level permissions: contents: read, limiting the default GITHUB_TOKEN to repository read access (checkout and build/test steps only).

This matches the existing hardening on workflows like storybook-vercel and aligns with least-privilege guidance after supply-chain incidents affecting Actions permissions. No job steps or triggers are changed—only the explicit permission block is added under each workflow’s env section.

^{Reviewed by Cursor Bugbot for commit 2e75881. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2e75881

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 2e75881. Configure here.}

[cursor]

Missing actions: write permission breaks artifact upload

Medium Severity

The workflow-level permissions: contents: read declaration causes all unspecified permissions to default to none. The actions/upload-artifact@v6 step (used on test failure) requires actions: write permission to upload artifacts. This means when visual regression tests fail, the artifact upload step will also fail, preventing developers from accessing the Playwright report and test results needed to debug failures.

 

^{Reviewed by Cursor Bugbot for commit 2e75881. Configure here.}