Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[jasonad123]

Potential fix for https://github.com/jasonad123/mobdb/security/code-scanning/1

In general, to fix this issue you should explicitly define the permissions: for the GITHUB_TOKEN either at the top level of the workflow (applying to all jobs) or inside each job (overriding the top level). For a build/test workflow that primarily needs to read the repository contents, a common minimal setting is contents: read, which prevents unintended write access while still allowing the workflow to check out and read the code.

For this specific workflow in .github/workflows/test-r-universe.yaml, the best fix without changing functional behavior is to add a top-level permissions: block between the on: section and the jobs: section. Given the information available, we can safely set contents: read as a minimal, least-privilege configuration suitable for typical build/test tasks and for invoking a reusable workflow. If later the reusable workflow requires extra permissions (e.g., packages: write), they can be added explicitly, but we should start from the strictest reasonable default.

Concretely:

• Edit .github/workflows/test-r-universe.yaml.
• Insert:

permissions:
  contents: read

after the on: block (after line 14 in the provided snippet) and before jobs: (line 16).

• No additional imports, methods, or other definitions are needed since this is a YAML configuration change only.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!