Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[Johnaverse]

Potential fix for https://github.com/Johnaverse/chains-api/security/code-scanning/1

To fix this, we should explicitly declare minimal GITHUB_TOKEN permissions for the test-and-analyze job. This job only needs to read the repository contents (for actions/checkout) and does not interact with PRs, issues, or packages. The SonarQube step uses its own token (SONAR_TOKEN), not GITHUB_TOKEN, so no extra GitHub scopes are required.

The best minimal-change fix is to add a permissions block under jobs.test-and-analyze with contents: read. We leave the existing permissions block on build-docker-push unchanged, since that job legitimately needs packages: write to push Docker images. Concretely, in .github/workflows/docker-build.yml, after the runs-on: ubuntu-latest line (line 21) inside test-and-analyze, insert:

    permissions:
      contents: read

No additional imports, methods, or definitions are required, as this is a pure workflow-configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses a GitHub code scanning alert by explicitly declaring minimal GITHUB_TOKEN permissions for the test-and-analyze job in the Docker build workflow, aligning the workflow with least-privilege guidance.

Changes:

• Add an explicit job-level permissions block for test-and-analyze.
• Restrict test-and-analyze to contents: read (sufficient for actions/checkout and the job’s current steps).

---

You can also share your feedback on Copilot code review. Take the survey.