Potential fix for code scanning alert no. 4: Workflow does not contain permissions

[ThomasPedleyNHS]

Potential fix for https://github.com/NHSDigital/nhs-app-api/security/code-scanning/4

In general, the fix is to explicitly declare a permissions block, either at the top (workflow level, under name/on) or inside the specific job. This block should grant the least privileges required. For this workflow, most steps need only read access to the repository contents, while the release-creation step requires write access to repository contents.

The single best fix with minimal functional change is to add a workflow-level permissions block after the on: push line that sets contents: write. This is already the effective requirement because actions/create-release@v1 needs to create releases/tags, which map to contents: write. We do not see any need for other scopes (issues, pull-requests, packages, etc.), so they should remain unset (implicitly none). No other code changes are needed.

Concretely, in .github/workflows/continuous-integration.yml, insert:

permissions:
  contents: write

after line 3 (on: push). No imports or additional methods are required, as this is purely a YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

[github-actions]

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

[github-actions]

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Adds explicit GitHub Actions permissions declarations to address code-scanning alert #4 (“Workflow does not contain permissions”) by defining the GITHUB_TOKEN scopes required by workflows that read repo content and create releases / comment on PRs.

Changes:

• Add workflow-level permissions: contents: write to the CI workflow so release creation can succeed.
• Add workflow-level permissions to the PR lint workflow for reading contents and writing to PRs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/pr-lint.yaml	Adds explicit permissions for PR linting workflow.
.github/workflows/continuous-integration.yml	Adds explicit permissions for CI workflow, including repo write for release creation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.