Potential fix for code scanning alert no. 5: Workflow does not contain permissions

[majorsilence]

Potential fix for https://github.com/TownSuite/DapperExtras/security/code-scanning/5

In general, the fix is to add an explicit permissions block to the workflow or to the individual job(s) so that the GITHUB_TOKEN has only the minimal scopes required. For this workflow, the report job runs after tests and uses dorny/test-reporter@v2 to read an uploaded artifact and create a GitHub Check Run with the test results. That means it needs to read repository contents and write checks, but does not need broader write permissions (like pushing commits, modifying issues, etc.).

The best minimal fix without changing functionality is to add a permissions block under the report job, specifying contents: read (to align with normal read-only repo access) and checks: write (so it can create/update the test report check). We’ll insert:

    permissions:
      contents: read
      checks: write

directly under report: and above runs-on: in .github/workflows/report-tests.yml. No other files or imports are involved, and the rest of the workflow remains unchanged.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses code scanning alert #5 by scoping down GITHUB_TOKEN permissions in the report-tests workflow that publishes test results via dorny/test-reporter@v2.

Changes:

• Adds an explicit job-level permissions block to the report job
• Grants contents: read and checks: write for creating/updating the test report check run

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.