Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[infiloop2]

Potential fix for https://github.com/smartcontractkit/cre-cli/security/code-scanning/1

In general, the fix is to explicitly define a permissions block for every job (or at the workflow root) so that the GITHUB_TOKEN scope is minimized and no job depends on repository/organization defaults. For jobs that only need to read repository contents, contents: read is a good minimal baseline; if they don’t need to write anything or access other resources, no additional scopes are required.

For this workflow, several jobs already specify:

permissions:
  id-token: write
  contents: read
  actions: read

However, ci-lint-misc does not declare any permissions. To fix the specific CodeQL finding while keeping functionality unchanged and aligned with least privilege, we should add a permissions block under ci-lint-misc similar to the others but tailored to minimal needs. A safe minimal starting point is:

permissions:
  contents: read

This allows the job’s action to read repository contents if needed, without granting any write or extra privileges. If the called ci-lint-misc composite action later requires additional permissions, they can be added explicitly, but based on the information given we should not assume any write requirements.

Concretely: in .github/workflows/pull-request-main.yml, within the ci-lint-misc job definition (lines 33–38), insert a permissions: block between runs-on: ubuntu-latest and steps:. No imports or other files are involved.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.