Potential fix for code scanning alert no. 5: Workflow does not contain permissions

[andyleejordan]

Potential fix for https://github.com/PowerShell/PowerShellEditorServices/security/code-scanning/5

Add an explicit permissions block to the workflow so the GITHUB_TOKEN is limited to least privilege.
Best fix here: define workflow-level permissions with contents: read, since all jobs in this file can inherit it (there is only one job shown). This satisfies checkout and typical read operations while preventing unintended write scopes.

What to change

• File: .github/workflows/vim-test.yml
• Region: near the top-level keys, after on: and before jobs:
• Change: add:

permissions:
  contents: read

No imports, methods, or dependency changes are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This PR addresses code scanning alert no. 5 by adding an explicit permissions block to the vim-test.yml GitHub Actions workflow. Previously the workflow had no permissions declaration, meaning the GITHUB_TOKEN defaulted to broad scopes. Scoping it down to least privilege reduces the blast radius if a step or dependency is compromised.

Changes:

• Added a workflow-level permissions block granting only contents: read.
• The single vim job only performs read-only operations (checkouts, build, test runs), so the workflow-level scope is sufficient for all jobs.