Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[dmetzner]

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/1

In general, to fix this issue we should explicitly specify the minimal required permissions for the GITHUB_TOKEN in this workflow, either globally at the root level or per job. Since this workflow has a single job and only needs to read repository contents (for actions/checkout and the PHP script), the token can be limited to contents: read.

The best fix without changing existing functionality is to add a permissions: block that restricts contents to read. This can be added at the workflow root (right after name: and before on:) so it applies to all jobs, or inside the check_for_new_catroid_bricks job. Root-level is cleaner and future-proof for additional jobs. No imports or other code changes are needed; we only adjust the YAML to include:

permissions:
  contents: read

Concretely, in .github/workflows/check_for_new_bricks.yaml:

• Insert a new permissions: section after line 13 (name: Check for new bricks) and before line 15 (# This check is independent...).
• Ensure correct indentation (top-level) so it applies to the whole workflow.
  No other lines or behavior need to be modified.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.00%. Comparing base (1bc2a40) to head (676aa4e).
⚠️ Report is 5 commits behind head on develop.

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #6124      +/-   ##
=============================================
- Coverage      50.01%   50.00%   -0.02%     
  Complexity      7481     7481              
=============================================
  Files            722      722              
  Lines          24100    24100              
=============================================
- Hits           12054    12051       -3     
- Misses         12046    12049       +3     

Flag	Coverage Δ
behat	47.70% <ø> (-0.02%)	⬇️
phpunit	10.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.