Potential fix for code scanning alert no. 328: Workflow does not contain permissions

[AtsushiSakai]

Potential fix for https://github.com/AtsushiSakai/PythonRobotics/security/code-scanning/328

To address the issue, add a permissions block to the workflow that restricts the GITHUB_TOKEN permissions. Since the job does not appear to require write access—common for CodeQL workflows—the most minimal safe configuration is contents: read. This limits token usage to only reading repository contents, minimizing possible damage from any workflow compromise. Apply this change at the workflow root (before the jobs: block) to apply to all jobs that don't have their own permissions keys. If additional permissions were required for specific jobs, those could be set within that job's block, but that's not needed here.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restore security-events write permission

Adding a top-level permissions block with only contents: read removes all other default scopes from the job. The subsequent github/codeql-action/analyze@v4 step needs security-events: write to upload SARIF results; without it the CodeQL workflow will fail when trying to publish findings. Explicitly include security-events: write (and any other required scopes) in this block so the scan can complete.

Useful? React with 👍 / 👎.