Potential fixes for 2 code scanning alerts

[cinderellasecure]

Potential fixes for 2 code scanning alerts from the Copilot AutoFix: Missing Permissions in Workflows security campaign:

• https://github.com/github/auto-check-element/security/code-scanning/2 To fix the problem, you should add a permissions: block with the minimal permissions necessary to the workflow. Generally, publishing to npm requires a secret token set via environment variables, not via GITHUB_TOKEN, and the steps listed only need access to the repository's content for read purposes. The least privilege is thus contents: read. You can set this at the root level of the workflow (before jobs:) to apply to all jobs, or specifically within a job. In this case, adding at the root is simplest.

  You should edit .github/workflows/publish.yml, inserting the following immediately after the name: (line 1) and before the on: (line 3):

  permissions:
  contents: read
  

  No additional methods, external libraries, or dependencies are required.

• https://github.com/github/auto-check-element/security/code-scanning/1 To fix the problem, you need to add a permissions block to the workflow, specifying minimally required permissions for the GITHUB_TOKEN. For the steps shown (checkout code and run npm scripts), the workflow just needs to read repository contents; it does not need to write to contents, create issues, or interact with pull requests. The best place to add the permissions block is at the workflow root, directly below the name field, so it applies to all jobs, unless per-job overrides are needed. To implement the fix, add the configuration:

  permissions:
  contents: read
  

  to .github/workflows/nodejs.yml, after the name field and before on:. No additional method definitions, variable definitions, or external libraries are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.