Potential fix for code scanning alert no. 6: Workflow does not contain permissions

[majorsilence]

Potential fix for https://github.com/majorsilence/Reporting/security/code-scanning/6

In general, the fix is to explicitly declare a permissions: block in the workflow or job that limits the GITHUB_TOKEN to the least privileges required. For a simple build-and-test workflow that only needs to read repository contents, permissions: contents: read at the workflow root is a good minimal baseline and will apply to all jobs.

For this specific file .github/workflows/mac.yml, the best fix without changing behavior is to add a root-level permissions: block after the name: and before on: (or directly under on:), setting contents: read. None of the listed steps perform operations that require write access (no pushing commits, creating releases, modifying issues/PRs, etc.), and the third-party action dorny/test-reporter mainly reads artifacts and posts annotations via the existing job context; if it needs additional write scopes like checks: write, those could be added explicitly later. For now, we implement the minimal recommendation from CodeQL: permissions: contents: read.

No additional imports or methods are needed; this is a pure YAML configuration change in .github/workflows/mac.yml.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

Updates the macOS GitHub Actions workflow to address Code Scanning alert #6 by explicitly declaring least-privilege GITHUB_TOKEN permissions.

Changes:

• Add a root-level permissions: block to .github/workflows/mac.yml.
• Set default workflow token scope to contents: read.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Setting workflow-level permissions to only contents: read is likely too restrictive for dorny/test-reporter@v2. That action typically creates/updates GitHub Check Runs to publish test results/annotations, which requires checks: write (and sometimes pull-requests: write for PR annotations). With the current permissions, the "Test Report" step may fail and break the CI job. Consider explicitly adding the minimal additional scopes needed for the reporter (e.g., checks: write), or moving permissions to job-level and granting extra permissions only to the job that needs them.