Potential fix for code scanning alert no. 2: Workflow does not contain permissions

[ajm19826]

Potential fix for https://github.com/houselearning/Clean/security/code-scanning/2

In general, the fix is to define an explicit permissions: block that grants only the scopes needed by this workflow. This should be done at the job level (or workflow root) so GITHUB_TOKEN does not inherit broader repository defaults. We should keep existing behavior: if scripts/apply_fixes.js needs to push commits or update pull requests, it will require at least contents: write and/or pull-requests: write; if it only needs to read code and issues, contents: read may be enough. With the limited context, the safest non-breaking change is to explicitly set permissions: contents: write for this job, which preserves the likely existing capabilities while documenting them and avoiding broader implicit scopes.

Concretely, in .github/workflows/apply-clean-fixes.yml, add a permissions: block under the apply-fixes job (indented to align with runs-on:). For minimal, clearly defined permissions while keeping functionality, set:

permissions:
  contents: write
  issues: read

contents: write covers checking out and pushing code or updating branches; issues: read covers reading the issue body (though that’s already available as part of the event payload, it keeps intent explicit). If in your repo you know the job never writes, you could instead set contents: read, but based solely on the given snippet we should not reduce capabilities and risk breaking the workflow.

No new imports or external libraries are needed; this is a pure YAML configuration change confined to the shown workflow file.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.