Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[ajm19826]

Potential fix for https://github.com/houselearning/Clean/security/code-scanning/1

To fix the problem, explicitly declare a permissions block for the workflow/job so that the GITHUB_TOKEN used via ${{ secrets.GITHUB_TOKEN }} has only the privileges required. This avoids inheriting potentially broad repository defaults and documents the workflow’s intended permissions.

Given only the provided snippet, we should add a job-level permissions block under create-clean-pr. At a minimum, to satisfy the CodeQL recommendation and keep the workflow functional in the most conservative way, we can set contents: read, allowing code checkout while not granting write access to the repository contents. If generate_clean_pr.js needs to create or modify pull requests or issues, additional, more specific write scopes like pull-requests: write or issues: write can later be added, but we should not assume that without seeing the script. Therefore, the safest change that does not knowingly alter existing behavior from this snippet’s perspective is to add:

permissions:
  contents: read

beneath the job definition. No new imports, methods, or other definitions are required; this is purely a YAML configuration change in .github/workflows/create-clean-pr.yml.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.