Potential fix for code scanning alert no. 14: Workflow does not contain permissions

[czunker]

Potential fix for https://github.com/mondoohq/cnquery/security/code-scanning/14

To fix this, explicitly define minimal permissions for the workflow so that any job without its own permissions block (like go-test, go-test-integration, go-race, go-bench, and event_file) gets a restricted token. The best conservative default is to set permissions: contents: read at the workflow root, which is sufficient for typical checkout and read-only operations and is compatible with most third‑party actions. Jobs that already have custom permissions, such as go-auto-approve, will continue to use their own block and override the default.

Concretely, in .github/workflows/pr-test-lint.yml, add a top-level permissions: section right after the name: Code Test line (before on:). Set it to contents: read. No other changes are required to jobs, including event_file; it will now inherit the minimal read-only permissions. No additional imports or external libraries are needed, since this is only a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

Test Results

4 703 tests   4 699 ✅  2m 14s ⏱️
  415 suites      4 💤
   31 files        0 ❌

Results for commit 67310b3.

[Copilot]

Pull request overview

This PR addresses GitHub code scanning alert #14 by adding explicit minimal permissions to the workflow. The change implements the principle of least privilege by setting a default contents: read permission at the workflow level.

• Adds workflow-level permissions: contents: read to restrict default token permissions
• Jobs without explicit permissions inherit the minimal read-only access
• The go-auto-approve job retains its existing write permissions through its own permissions block

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[czunker]

#6369