Potential fix for code scanning alert no. 8: Workflow does not contain permissions

[eschultink]

Potential fix for https://github.com/Worklytics/appengine-pipelines/security/code-scanning/8

To fix the problem, explicitly define minimal GITHUB_TOKEN permissions in the workflow. Since neither job needs to write to the repository or manage issues/PRs, we can safely set contents: read at the workflow level, which applies to all jobs that do not override permissions. This adheres to the principle of least privilege and satisfies CodeQL’s recommendation.

The best minimal, non-breaking change: in .github/workflows/test-java.yml, add a permissions: block right after the name: Test Java line (before the on: [push] line). Set contents: read. No changes are needed inside the jobs: section, and no imports or additional definitions are required, because this is purely a workflow configuration change.

Concretely:

• Edit .github/workflows/test-java.yml.
• After line 2 (name: Test Java), insert:

  permissions:
    contents: read

• Leave the rest of the workflow unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses a security code scanning alert by adding explicit GITHUB_TOKEN permissions to the test workflow. The change implements the principle of least privilege by restricting the workflow to read-only access to repository contents.

• Added minimal permissions configuration to restrict GITHUB_TOKEN scope
• Set contents: read at workflow level to apply read-only access to all jobs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.