Potential fix for code scanning alert no. 2: Workflow does not contain permissions

[xtfer]

Potential fix for https://github.com/aurabx/harmony/security/code-scanning/2

In general, this issue is fixed by explicitly specifying a permissions block for the workflow or for each job, instead of relying on repository defaults. For a simple build-only workflow that just checks out code and runs cargo build, the only required scope is read access to repository contents, so contents: read is sufficient.

The best minimal fix here is to add a top-level permissions block just under the name: Rust line in .github/workflows/rust.yml. This will apply to all jobs in the workflow (currently just build) and constrain the automatically provided GITHUB_TOKEN to have only contents: read. No other permissions (like pull-requests: write) are needed, since the workflow does not interact with PRs beyond being triggered by them. The change is limited to inserting a few lines and does not modify any existing steps or behavior.

Concretely:

• Edit .github/workflows/rust.yml.

• Insert:

  permissions:
    contents: read

  after line 1 (name: Rust) and before the on: block at line 3.

• No additional methods, imports, or definitions are required, as this is purely a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

---

Note

CI permissions hardening for Rust workflow

• Adds top-level permissions with contents: read to .github/workflows/rust.yml, constraining the default GITHUB_TOKEN scope for all jobs
• No changes to triggers, env, jobs, or steps; build remains unchanged

^{Written by Cursor Bugbot for commit 1e0e07e. This will update automatically on new commits. Configure here.}