Potential fix for code scanning alert no. 13: Workflow does not contain permissions

[xtfer]

Potential fix for https://github.com/aurabx/harmony/security/code-scanning/13

In general, the fix is to explicitly restrict the GITHUB_TOKEN permissions for this workflow or job, rather than relying on repository defaults. Since the build-binaries job only reads the repository and uploads build artifacts, it should only need contents: read. We can either set permissions at the workflow root (applying to all jobs that don’t override them) or directly on the build-binaries job. Because the docker job already has its own explicit permissions, adding a workflow‑root permissions block with contents: read is safe: docker will continue to use its own, more permissive block, and build-binaries will get minimal read-only access.

The best minimal change without affecting existing behavior is therefore to add a permissions: block at the top level of the workflow, just after name: Releases (or just before env:), specifying contents: read. This constrains GITHUB_TOKEN for build-binaries (the job flagged by CodeQL) while leaving the existing docker job permissions intact. No imports or external dependencies are needed; this is purely a YAML configuration change within .github/workflows/build.yml.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

---

Note

Tightens default token scope for the Releases workflow.

• Adds a workflow-root permissions block with contents: read in .github/workflows/build.yml, ensuring jobs without overrides use read-only GITHUB_TOKEN.

^{Written by Cursor Bugbot for commit 42a2535. This will update automatically on new commits. Configure here.}