ci: set top-level permissions for antithesis-verify workflow

[gaganhr94]

Summary

Add explicit permissions: contents: read at the workflow level in .github/workflows/antithesis-verify.yml to restrict the default GITHUB_TOKEN to read-only access, following the principle of least privilege.

Fixes #21469

Changes

• Added top-level permissions: contents: read to the antithesis-verify.yml workflow

Why

The OpenSSF Scorecard Token-Permissions check flagged this workflow for not defining top-level permissions:

Warn: no topLevel permission defined: .github/workflows/antithesis-verify.yml:1

This change improves the repository's OpenSSF Scorecard score with no functional impact, as the workflow only checks out code and runs local Docker builds.

[k8s-ci-robot]

Hi @gaganhr94. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gaganhr94]

/ok-to-test

[k8s-ci-robot]

@gaganhr94: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gaganhr94]

/assign @ivanvc

[ivanvc]

/ok-to-test

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.42%. Comparing base (8dfd828) to head (df975f2).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files

see 21 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #21470      +/-   ##
==========================================
+ Coverage   68.39%   68.42%   +0.03%     
==========================================
  Files         428      428              
  Lines       35381    35381              
==========================================
+ Hits        24200    24211      +11     
+ Misses       9773     9761      -12     
- Partials     1408     1409       +1     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8dfd828...df975f2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ivanvc]

Hi, @gaganhr94, thanks for the pull request. We recently fixed an issue with building the Docker image from the workflow that you updated. Could you please rebase your branch? The workflow failure may come from that. Thanks.

[gaganhr94]

Done @ivanvc

[ivanvc]

/retest

[ivanvc]

LGTM. Thanks, @gaganhr94.

/cc @serathius @nwnt

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gaganhr94, ivanvc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• .github/OWNERS [ivanvc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment