Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[DFanso]

Potential fix for https://github.com/DFanso/commit-msg/security/code-scanning/1

To fix this issue, we should add a permissions block to the build job in .github/workflows/build-and-release.yml. This block should grant only the minimum necessary permission, which for this job is contents: read. This ensures the build job cannot make changes to the repository, following the principle of least privilege. The addition should be placed alongside the other job keys, right after name: Build Go Binary, similar to how it is specified for the auto-tag and package jobs. No code changes or imports are needed, only a small YAML edit in the workflow.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Updated CI build workflow permissions to grant read access to repository contents during builds.
  • No changes to build steps, release flow, or deployment behavior.
  • No impact on features, UI, or performance; end-user experience remains unchanged.
  • This adjustment applies only to internal automation and infrastructure.

[coderabbitai]

Walkthrough

Added a permissions block to the GitHub Actions build job in .github/workflows/build-and-release.yml, specifying contents: read. No other steps or flow were modified.

Changes

Cohort / File(s)	Summary
CI workflow permissions \.github/workflows/build-and-release.yml	Introduced a job-level permissions block with contents: read for the build job; no changes to steps, conditions, or execution flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

I hop through YAML fields at night,
Granting read to contents—just right.
Pipelines purr, no steps askew,
A tiny tweak, the build stays true.
Thump-thump! The release burrow’s bright.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit's high-level summary is enabled.
Title Check	✅ Passed	The title clearly identifies the primary change—adding a permissions block to address a code scanning alert for missing workflow permissions—and concisely conveys the intent without unnecessary detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alert-autofix-1

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0df4723 and 2e1adac.

📒 Files selected for processing (1)

• .github/workflows/build-and-release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Package Binaries

🔇 Additional comments (1)

.github/workflows/build-and-release.yml (1)

46-47: Least-privilege permission looks good.

Job-level contents: read is the minimal scope needed for checkout, satisfying the security alert without granting excess access.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}