Add workflow permissions

[MichaelRFairhurst]

Description

please enter the description of your change here

Change request type

• Release or process automation (GitHub workflows, internal scripts)
• Internal documentation
• External documentation
• Query files (.ql, .qll, .qls or unit tests)
• External scripts (analysis report or other code shipped as part of a release)

Rules with added or modified queries

• No rules added
• Queries have been added for the following rules:
  • rule number here
• Queries have been modified for the following rules:
  • rule number here

Release change checklist

A change note (development_handbook.md#change-notes) is required for any pull request which modifies:

• The structure or layout of the release artifacts.
• The evaluation performance (memory, execution time) of an existing query.
• The results of an existing query in any circumstance.

If you are only adding new rule queries, a change note is not required.

Author: Is a change note required?

• Yes
• No

🚨🚨🚨
Reviewer: Confirm that format of shared queries (not the .qll file, the
.ql file that imports it) is valid by running them within VS Code.

• Confirmed

Reviewer: Confirm that either a change note is not required or the change note is required and has been added.

• Confirmed

Query development review checklist

For PRs that add new queries or modify existing queries, the following checklist should be completed by both the author and reviewer:

Author

• Have all the relevant rule package description files been checked in?
• Have you verified that the metadata properties of each new query is set appropriately?
• Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
• Are the alert messages properly formatted and consistent with the style guide?
• Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
  As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
• Does the query have an appropriate level of in-query comments/documentation?
• Have you considered/identified possible edge cases?
• Does the query not reinvent features in the standard library?
• Can the query be simplified further (not golfed!)

Reviewer

• Have all the relevant rule package description files been checked in?
• Have you verified that the metadata properties of each new query is set appropriately?
• Do all the unit tests contain both "COMPLIANT" and "NON_COMPLIANT" cases?
• Are the alert messages properly formatted and consistent with the style guide?
• Have you run the queries on OpenPilot and verified that the performance and results are acceptable?
  As a rule of thumb, predicates specific to the query should take no more than 1 minute, and for simple queries be under 10 seconds. If this is not the case, this should be highlighted and agreed in the code review process.
• Does the query have an appropriate level of in-query comments/documentation?
• Have you considered/identified possible edge cases?
• Does the query not reinvent features in the standard library?
• Can the query be simplified further (not golfed!)

[Copilot]

Pull request overview

This PR adds explicit permission declarations to GitHub Actions workflow files to follow security best practices by limiting workflow permissions to only what's needed. This implements the principle of least privilege for GitHub Actions workflows.

Key Changes

• Added permissions blocks to 18 workflow files with appropriate access levels
• Most read-only workflows receive contents: read permission
• Workflows that modify repository state receive elevated permissions like contents: write, pull-requests: write, or actions: write

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
.github/workflows/verify-standard-library-dependencies.yml	Added read-only permissions for verification workflow
.github/workflows/validate-release.yml	Added read/write permissions for validation workflow that needs to write checks and PR comments
.github/workflows/validate-query-test-case-formatting.yml	Added read-only permissions for formatting validation
.github/workflows/validate-query-help.yml	Added read-only permissions for help file validation
.github/workflows/validate-query-formatting.yml	Added read-only permissions for query formatting validation
.github/workflows/validate-package-files.yml	Added read-only permissions for package validation
.github/workflows/upgrade_codeql_dependencies.yml	Added write permissions for workflow that creates PRs
.github/workflows/update-release.yml	Added write permissions for release update workflow
.github/workflows/update-check-run.yml	Added read-only permissions for check run updates
.github/workflows/tooling-unit-tests.yml	Added read-only permissions for unit testing
.github/workflows/standard_library_upgrade_tests.yml	Added read-only permissions with typo in permission key
.github/workflows/generate-html-docs.yml	Added read-only permissions for documentation generation
.github/workflows/finalize-release.yml	Added write permissions for release finalization
.github/workflows/extra-rule-validation.yml	Added read-only permissions for rule validation
.github/workflows/dispatch-release-performance-check.yml	Added mixed permissions for performance check dispatch
.github/workflows/dispatch-matrix-test-on-comment.yml	Added mixed permissions for matrix test dispatch
.github/workflows/codeql_unit_tests.yml	Added read-only permissions for CodeQL testing
.github/workflows/code-scanning-pack-gen.yml	Added read-only permissions for pack generation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This workflow has duplicate permissions blocks. Lines 2-3 define contents: read, while lines 42-43 define checks: write. GitHub Actions only supports one permissions block per workflow. The workflow likely needs checks: write permission based on the check run update operation performed in the job. The earlier contents: read permission should be removed or combined with checks: write into a single block at the top level.