Add explicit permissions to GitHub Actions workflow files

[Copilot]

Org-wide default workflow permissions are changing to read on Dec 1. Adding explicit permissions blocks to prevent workflow breakage and follow principle of least privilege.

Changes

• .github/workflows/nodejs.yml: Added permissions: contents: read
• .github/workflows/publish.yml: Added permissions: contents: read

Both workflows only require read access to checkout code. The publish workflow uses an external npm token for registry authentication, not GitHub permissions.

permissions:
  contents: read

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Org setting change coming Dec 1, please define actions workflow permissions</issue_title>
<issue_description>## Background

There is an org-wide campaign to ensure that workflow permissions are explicitly defined in all GitHub Actions workflow files for two reasons

1. We don't want to break your workflows when we change an org setting that makes the default permissions read
2. So we can make the above setting change and operate more on the principle of least privilege.

This issue is prepared such that it is readily be assignable to Copilot🙂🤖 (Prompts below for Copilot to use).

For more detailed information about this effort, please see: https://github.com/github/security-services/discussions/465. If you have questions or need help, please drop in at #prodsec-engineering as we may or may not see updates from this issue due to permissions and/or volume.

Issue Description

We have identified 2 workflow files in your repository that are currently lacking explicit permissions definitions.

Affected Workflow Files

The following workflow files need permissions to be explicitly defined:

• .github/workflows/nodejs.yml
• .github/workflows/publish.yml

Requested Action

Please add explicit permissions to these workflow files and ensure they work as expected by Nov 24th (setting change is planned for Dec 1st). As noted, we are including prompts should you like to assign Copilot.

GitHub Copilot Assignment Prompts

We are also adding prompts to make this issue more easily assignable to Copilot:

For GitHub Copilot:

Task: Add explicit permissions to GitHub Actions workflow files that are currently missing them.

Scope: Update the workflow files listed above to include appropriate permissions: blocks.

Analysis Methodology:

1. Gather Current State: Check if the workflow has any existing permissions defined
2. Inventory Workflow Actions:
   • Actions performed directly by the workflow
   • API calls made by the workflow
   • External actions included via uses: statements
3. Determine Required Permissions: Map each action to its minimum required permissions
4. Synthesize Minimal Permissions: Create permissions block with only necessary permissions

Requirements:

1. Add a permissions: block to each workflow file that doesn't have one
2. Start with contents: read as the minimum permission
3. Add additional permissions only if the workflow actually needs them based on the actions it performs
4. Place the permissions: block at the job level or workflow level as appropriate
5. Ensure the syntax is correct and follows YAML formatting
6. Maintain existing content formatting, including indentation and comments

Files to modify: See the list of affected workflow files above.

Acceptance criteria:

• All listed workflow files have explicit permissions defined
• Permissions follow the principle of least privilege
• YAML syntax is valid
• Workflows still function correctly after changes

Copilot Instructions:

Please create a pull request that adds appropriate permissions: blocks to each of the workflow files listed above. Analyze each workflow to determine the minimum permissions required based on the actions it performs, and add only those necessary permissions.
</issue_description>

Comments on the Issue (you are @copilot in this section)

@misfir3 👋 @github/primer-reviewers (as repo owner) This is a gentle reminder/nudge that we are 14 days away from the anticipated org level change (see https://thehub.github.com/news/2025-11-20-workflow-permissions-default-change/). Since this issue comes with prompts for Copilot, feel free to assign it to Copilot. Our goal here is to avoid breaking your workflow. If you have questions, please feel free to drop in at `prodsec-engineering`.

cc @keithamus as contributor/s on the mentioned workflow/s

• Fixes Org setting change coming Dec 1, please define actions workflow permissions #61

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR adds explicit permissions blocks to GitHub Actions workflows in preparation for an organization-wide default permissions change to read on December 1st. The changes ensure workflows continue functioning while following the principle of least privilege.

• Added permissions: contents: read to both workflow files
• Both workflows only require read access to checkout repository code
• The publish workflow uses an external npm token for registry authentication, not GitHub permissions

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/nodejs.yml	Added explicit contents: read permission for CI workflow that runs tests on push
.github/workflows/publish.yml	Added explicit contents: read permission for publish workflow that releases to npm

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.