.github/workflows/releases.yaml: Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[mykaul]

Potential fix for https://github.com/scylladb/scylla-operator/security/code-scanning/1

In general, the fix is to explicitly declare permissions for the GITHUB_TOKEN in the workflow, rather than relying on repository/organization defaults. This is done by adding a permissions: block either at the top workflow level (so it applies to all jobs without their own permissions) or within the specific job. The least-privilege baseline recommended by the alert is contents: read, which is sufficient for checking out code and many read-only operations.

For this workflow, the simplest and least intrusive change is to add a top-level permissions: block just after the on: section (before env:). This will apply to the single release-notes job and any future jobs unless they override it. We will set:

permissions:
  contents: read

No imports or additional methods are needed—this is purely a YAML configuration change within .github/workflows/releases.yaml. Functionality should remain unchanged for operations that only need read access to repository contents; if the custom release-notes action requires more, those can be added later, but that is outside the scope of the current static-analysis fix.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[scylla-operator-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[scylla-operator-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mykaul
Once this PR has been reviewed and has the lgtm label, please assign rzetelskik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[scylla-operator-bot]

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

• 386c43c .github/workflows/releases.yaml: Potential fix for code scanning alert no. 1: Workflow does not contain permissions

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[scylla-operator-bot]

@mykaul: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify-docs	386c43c	link	true	/test verify-docs

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[scylla-operator-bot]

The Scylla Operator project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 30d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out

/lifecycle stale