Potential fix for code scanning alert no. 34: Workflow does not contain permissions

[surajsbharadwaj]

Potential fix for https://github.com/IBM-Cloud/ibm-sap-hana-backint-cos/security/code-scanning/34

In general, the fix is to add an explicit permissions block either at the workflow root (applies to all jobs) or under the goreleaser job, granting only the minimal permissions needed. This overrides potentially broad repository defaults and ensures the GITHUB_TOKEN is constrained.

For this specific workflow, the job needs to: (1) read repository contents (for checkout) and (2) create/update GitHub releases and upload assets, which for GitHub’s permission model is covered by contents: write. To follow least privilege while preserving existing behavior, we should add a root‑level permissions block directly under name: release specifying contents: write. This keeps functionality intact (Goreleaser can still create releases) while making the permissions explicit and satisfying CodeQL’s requirement that some explicit block be present.

Concretely:

• Edit .github/workflows/release.yml.

• After line 12 (name: release), insert:

  permissions:
    contents: write

• Leave all jobs and steps unchanged.

No additional methods, imports, or definitions are needed; this is a pure YAML configuration change.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.