Potential fix for code scanning alerts: Workflow does not contain permissions

[mprins]

Potentialfixforhttps://github.com/Tailormap/tailormap-viewer/security/code-scanning/450

Tofix the problem, give the event_file job its own explicit, least-privilege permissions block so it does not inherit broad defaults. Because this job only needs to read the workflow event JSON from the checkout/context and upload it as an artifact, it only requires contents: read. It does not modify code, issues, or PRs.

Concretely, in .github/workflows/test-and-deploy.yml, inside the event_file job (around lines 100–108), add a permissions: section with contents: read. Place it at the same indentation level as runs-on: and steps:. No imports or other files are needed, and no behavior of the job changes; it simply restricts the GITHUB_TOKEN for this job.

resolve:

• https://github.com/Tailormap/tailormap-viewer/security/code-scanning/449
• https://github.com/Tailormap/tailormap-viewer/security/code-scanning/450
• https://github.com/Tailormap/tailormap-viewer/security/code-scanning/345

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Test Results

  1 files  ±0  226 suites  ±0   8m 30s ⏱️ +22s
601 tests ±0  601 ✅ ±0  0 💤 ±0  0 ❌ ±0 
695 runs  ±0  695 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit af6c899. ± Comparison against base commit f42ef90.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

This PR aims to address GitHub code scanning alerts about missing/overly broad GITHUB_TOKEN permissions by adding explicit permissions blocks to workflows/jobs.

Changes:

• Add workflow-level permissions: contents: read to test-and-deploy.yml.
• Add job-level permissions: contents: read to the event_file job in test-and-deploy.yml.
• Add workflow-level permissions: contents: read to deploy-embed-test.yml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/test-and-deploy.yml	Adds explicit permissions at workflow and event_file job level to satisfy code scanning.
.github/workflows/deploy-embed-test.yml	Adds explicit workflow-level permissions (contents: read).

Comments suppressed due to low confidence (1)

.github/workflows/test-and-deploy.yml:5

• PR description says the change is limited to adding a job-level permissions block to event_file in test-and-deploy.yml, but this also adds workflow-level permissions and updates an additional workflow (deploy-embed-test.yml). Either update the PR description to match the actual changes or narrow the changes to what’s described.

permissions:
  contents: read

[Copilot]

The new workflow-level permissions: contents: read applies to all jobs that don’t define their own permissions. This workflow uses actions/upload-artifact in the test and event_file jobs, which requires actions access; with only contents: read those uploads are likely to fail. Consider either (a) adding actions: write to the jobs that upload artifacts (and keep workflow-level permissions empty or minimal), or (b) broadening the workflow-level permissions to include what those jobs need.

Suggested change

	contents: read
	contents: read
	actions: write