Potential fix for code scanning alert no. 5: Workflow does not contain permissions

[nicolasbock]

Potential fix for https://github.com/nicolasbock/ebuildtester/security/code-scanning/5

To fix the issue, the workflow should include a permissions block specifying the least privileges required for each job. This can be done at the root level of the workflow (applicable to all jobs) or for individual jobs. In this case:

• For the build job, the permissions should be restricted to contents: read because it only interacts with code repositories and uploads artifacts.
• For the publish-to-pypi job, the permissions already specify the required id-token: write scope, but we can clarify other permissions explicitly (like contents: read).

Changes will be made to .github/workflows/publish.yaml to introduce these explicit permissions.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull Request Overview

Adds explicit job-level permissions to comply with the security scanning alert by restricting each job’s privileges.

• Adds permissions: contents: read to the build job.
• Adds permissions: contents: read alongside id-token: write to the publish-to-pypi job.

Comments suppressed due to low confidence (2)

.github/workflows/publish.yaml:12

• [nitpick] The contents: read permission is duplicated in multiple jobs. Consider defining a root-level permissions block to set default least-privilege access and override per-job as needed.

    permissions:

.github/workflows/publish.yaml:46

• [nitpick] The job name 'pypi' is vague; consider renaming it to something more descriptive like 'Publish to PyPI'.

      name: pypi