Set explicit contents: read permissions in CI workflow

[EliahKagan]

This specifies contents: read permissions only for ci.yml, since no other permissions are currently needed in it. In so doing, it avoids the ambiguous and sometimes greater than intended workflow permissions assigned if no permissions key is used.

This is similar in motivation to, though much simpler than, GitoxideLabs/gitoxide@f41a58c (GitoxideLabs/gitoxide#1668).

---

Although I worked on the workflow in #34, I did not notice that this was missing at that time. But I enabled experimental CodeQL queries for GitHub Actions workflows in my fork, which conveniently found this.

• Find and fix Actions workflows vulnerabilities with CodeQL (Public Preview)
• How to secure your GitHub Actions workflows with CodeQL

Although CodeQL can be enabled by writing a workflow that runs it (an "advanced" setup), I suggest enabling the default setup, which requires no workflow file, in this repository's security settings. CodeQL doesn't yet have Rust queries, so this would only be for GitHub Actions, for which I think it should not be necessary to go beyond the default setup. (You may also want to enable it in cargo-smart-release.)

By the way, I've found that, at least as things stand now, for GitHub Actions queries, the default setup is in practice more versatile than advanced setups in one important way. Like advanced setups, the default setup allows configuring which suite of queries to run. Since, unlike advanced setups, the default setup requires no workflow file, this makes it easy for an upstream repository and its forks to run different suites, without diverging. For example, I enabled the default setup with the default suite in gitoxide about 10 days ago, while also running the default setup with the security-extended suite in my fork, which includes queries that are more subjective in nature or that may carry more false positives.

[Byron]

Thanks a lot for continuously improving the project 🙏!

[EliahKagan]

Thanks, and no problem! Since GitoxideLabs/cargo-smart-release#48 (comment), I've enabled CodeQL in cargo-smart-release with the default setup using the default query suite. (I am able to do that there even though I don't currently have write access because I have the security manager role in the GitoxideLabs organization and the default setup doesn't require a workflow file.) But I cannot do that here, so if you do want CodeQL for GitHub Actions here in the prodash repository then I think you would have to enable that.

[Byron]

As prodash is mainly used by gitoxide, even though it was created for criner (crates-io-miner), I decided to move it to the organisation, too. Now you have write permissions, and should be able to turn CodeQL on as well.