From a85b69d1b0e86eb571dabdf61e5dc6f548274681 Mon Sep 17 00:00:00 2001
From: IstvanZsSzekely <122256380+IstvanZsSzekely@users.noreply.github.com>
Date: Fri, 17 Oct 2025 17:07:15 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 1: Workflow does
 not contain permissions

To fix this issue, we should add a permissions: block to the build-doc job in .github/workflows/top-level.yml, restricting the GITHUB_TOKEN to the minimum access required. Since the job only builds documentation and uploads artifacts, and does not need to push to the repository or access issues, contents: read is sufficient. This block should be added beneath runs-on: ubuntu-latest (line 9) and before the steps: block for the build-doc job. No other modification is needed. The deploy job already correctly sets its own permissions:.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/top-level.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/top-level.yml b/.github/workflows/top-level.yml
index 1841f153..3a558804 100644
--- a/.github/workflows/top-level.yml
+++ b/.github/workflows/top-level.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   build-doc:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
     - name: Set up Python