Potential fix for code scanning alert no. 12: Workflow does not contain permissions

[iamvirul]

Potential fix for https://github.com/getbms/bms/security/code-scanning/12

Add an explicit permissions block at the workflow root (right after on: section and before jobs:) so all jobs inherit least-privilege defaults.
For this workflow, the best minimal fix is:

• contents: read (needed for repository checkout)
• actions: read (safe/commonly compatible for action metadata access)

No job-specific write scopes are required by the shown steps (checkout, flutter build, upload-artifact), so avoid granting write permissions.

Edit only .github/workflows/ci.yml in the top-level section before jobs:.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Enhanced workflow security by implementing least-privilege access controls for automated processes.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

A top-level permissions block is added to .github/workflows/ci.yml, setting contents: read and actions: read to restrict the GitHub token to read-only access for the entire workflow.

Changes

CI Workflow Permissions Restriction

Layer / File(s)	Summary
Top-level read-only token permissions .github/workflows/ci.yml	Adds a permissions block at the workflow level with contents: read and actions: read, restricting the default GitHub token scope.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit hops in, locks the gate,
"Read-only," she says, "let's keep it straight!"
No writes, no pushes, just a peek inside,
The CI token now has nowhere to hide.
🐇🔒 Safe and sound, with permissions tied!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a clear explanation of the change and links to the relevant code scanning alert, but does not follow the repository's PR template structure with sections like Summary, Type, Changes, Test plan, and Related issues.	Structure the description according to the repository template, including explicit sections for Summary, Type, Changes, and Test plan to ensure consistency with project standards.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a permissions block to fix a code scanning alert about missing workflow permissions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-12

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}