chore(ci): set top-level permissions on workflows

[arpitjain099]

Small hardening change: set permissions: contents: read at the top of .github/workflows/build-health-checkup.yml, .github/workflows/code-quality.yml, .github/workflows/unit-tests.yml, .github/workflows/visual-regression-tests.yml so the workflow token is read-only instead of inheriting the repository default. The job only does checkout and build/test, so nothing else is required.

---

Note

Low Risk
Workflow-only least-privilege hardening with no application or runtime behavior changes.

Overview
Adds top-level permissions: contents: read to four GitHub Actions workflows (build-health-checkup, code-quality, unit-tests, and visual-regression-tests) so the default GITHUB_TOKEN is read-only instead of inheriting the repo’s broader default permissions.

These jobs only check out code and run install/build/test (and upload artifacts on failure in visual regression), so no write scopes are required for normal operation.

^{Reviewed by Cursor Bugbot for commit 0206dda. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0206dda

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 0206dda. Configure here.}

[cursor]

Missing actions: write permission breaks artifact upload

Medium Severity

Setting top-level permissions with only contents: read causes all other permissions (including actions) to default to none. The actions/upload-artifact@v6 action (v4+) requires actions: write to upload artifacts via the new backend. This means the "Upload test results" step will fail when visual regression tests fail, preventing developers from accessing the Playwright report needed to debug failures.

 

^{Reviewed by Cursor Bugbot for commit 0206dda. Configure here.}