Potential fix for code scanning alert: Workflow does not contain permissions (#1445)

* Potential fix for code scanning alert no. 42: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* fix: add permissions when missing

* fix: alert for unpinned tag for non-imutable acrion in workflow

* fix: update permissions

* fix: update .github/workflows/nodejs.yml

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Hristo Hristov <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Nikolay Alipiev <[email protected]>

Author: 5 people

.github/workflows/codeql-analysis.yml

@@ -23,6 +23,9 @@ on:
 jobs:
   analyze:
     name: Analyze
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
 
     strategy:

.github/workflows/nodejs.yml

@@ -1,4 +1,7 @@
 name: Node.js CI
+permissions:
+  contents: read
+  checks: write
 
 on:
   push:
@@ -35,6 +38,7 @@ jobs:
         run: yarn coverage
       - name: Publish to coveralls.io
         if: matrix.node-version == '20.x'
-        uses: coverallsapp/[email protected]
+        # coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 corresponds to v2.3.4
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8
         with:
             github-token: ${{ github.token }}

.github/workflows/npm-publish.yml

@@ -3,6 +3,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest