False positive: Workflow does not contain permissions

[h3rmanj]

Description of the false positive

We get a lot of Workflow does not contain permissions alerts.

It's description states

If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the write permission only to a specific types as issues: write or pull-requests: write.

While our org was created before February 2023, the default permission on the org is set to read contents and packages only, and in the repository I can't even change the setting.

Code samples or links to source code

https://github.com/intility/templates/blob/8653a13809c06c5046e57cb689d8479726380414/.github/workflows/build-react.yml#L13-L36

URL to the alert on GitHub code scanning (optional)

https://github.com/intility/templates/security/code-scanning/4

[smowton]

The alert is raised based just on the Action YAML file, so it isn't privy to the actual org or repository configuration-- I'll raise with the feedback with the team though that it would be desirable to restructure this check to use backend data to be more precise.