CLOUD-929 Potential fix for code scanning alert no. 13: Workflow does not contain permissions

[hors]

Potential fix for https://github.com/percona/percona-server-mongodb-operator/security/code-scanning/13

In general, the fix is to add an explicit permissions: block limiting the GITHUB_TOKEN to the minimal scopes required. Since this workflow primarily checks code, runs linters/formatters, and performs git diff checks, read access to repository contents is sufficient; the actions that post comments or checks are using a separate github_token secret, so they do not need additional GITHUB_TOKEN privileges. The best minimal fix, without changing existing functionality, is to add a top-level permissions: section right under the workflow name: (before on:), setting contents: read. This will apply to all jobs (golangci-lint, gofmt, goimports-reviser, shfmt, shellcheck, misspell, alex, manifests) unless overridden per job. No imports or extra methods are needed; this is a pure YAML configuration change in .github/workflows/reviewdog.yml.

Concretely: edit .github/workflows/reviewdog.yml around the top of the file. After line 1 (name: reviewdog), insert:

permissions:
  contents: read

leaving the rest of the file unchanged. This documents the intended permissions and ensures a restricted token even if repository/org defaults change later.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[JNKPercona]

Test Name	Result	Time
arbiter	passed	00:11:19
balancer	passed	00:19:55
cross-site-sharded	passed	00:18:34
custom-replset-name	passed	00:10:23
custom-tls	passed	00:14:41
custom-users-roles	passed	00:10:11
custom-users-roles-sharded	passed	00:11:39
data-at-rest-encryption	passed	00:13:05
data-sharded	passed	00:24:30
demand-backup	passed	00:15:29
demand-backup-eks-credentials-irsa	passed	00:00:07
demand-backup-fs	passed	00:22:43
demand-backup-if-unhealthy	passed	00:11:46
demand-backup-incremental-aws	passed	00:12:00
demand-backup-incremental-azure	passed	00:11:58
demand-backup-incremental-gcp-native	passed	00:12:13
demand-backup-incremental-gcp-s3	passed	00:10:44
demand-backup-incremental-minio	passed	00:24:42
demand-backup-incremental-sharded-aws	passed	00:18:08
demand-backup-incremental-sharded-azure	passed	00:17:19
demand-backup-incremental-sharded-gcp-native	passed	00:18:11
demand-backup-incremental-sharded-gcp-s3	passed	00:17:55
demand-backup-incremental-sharded-minio	passed	00:29:02
demand-backup-physical-parallel	passed	00:08:28
demand-backup-physical-aws	passed	00:12:22
demand-backup-physical-azure	passed	00:12:26
demand-backup-physical-gcp-s3	passed	00:11:18
demand-backup-physical-gcp-native	passed	00:12:29
demand-backup-physical-minio	passed	00:21:13
demand-backup-physical-minio-native	passed	00:25:56
demand-backup-physical-minio-native-tls	passed	00:20:23
demand-backup-physical-sharded-parallel	passed	00:11:46
demand-backup-physical-sharded-aws	passed	00:18:20
demand-backup-physical-sharded-azure	passed	00:18:12
demand-backup-physical-sharded-gcp-native	passed	00:17:49
demand-backup-physical-sharded-minio	passed	00:18:10
demand-backup-physical-sharded-minio-native	passed	00:18:23
demand-backup-sharded	passed	00:27:31
disabled-auth	passed	00:16:50
expose-sharded	passed	00:34:35
finalizer	passed	00:10:13
ignore-labels-annotations	passed	00:08:00
init-deploy	passed	00:13:31
ldap	passed	00:09:40
ldap-tls	passed	00:13:29
limits	passed	00:06:23
liveness	passed	00:09:26
mongod-major-upgrade	passed	00:13:28
mongod-major-upgrade-sharded	passed	00:20:59
monitoring-2-0	passed	00:25:27
monitoring-pmm3	passed	00:29:07
multi-cluster-service	passed	00:13:36
multi-storage	passed	00:19:19
non-voting-and-hidden	passed	00:16:57
one-pod	passed	00:08:04
operator-self-healing-chaos	passed	00:12:41
pitr	passed	00:34:39
pitr-physical	passed	01:02:06
pitr-sharded	passed	00:21:20
pitr-to-new-cluster	passed	00:25:03
pitr-physical-backup-source	passed	00:58:15
preinit-updates	passed	00:04:59
pvc-auto-resize	passed	00:14:40
pvc-resize	passed	00:15:55
recover-no-primary	passed	00:26:49
replset-overrides	passed	00:18:32
replset-remapping	passed	00:17:05
replset-remapping-sharded	passed	00:17:48
rs-shard-migration	passed	00:14:40
scaling	passed	00:10:57
scheduled-backup	passed	00:17:33
security-context	passed	00:06:56
self-healing-chaos	passed	00:15:00
service-per-pod	passed	00:18:38
serviceless-external-nodes	passed	00:07:23
smart-update	passed	00:08:17
split-horizon	passed	00:13:49
stable-resource-version	passed	00:04:43
storage	passed	00:07:31
tls-issue-cert-manager	passed	00:29:20
unsafe-psa	passed	00:07:57
upgrade	passed	00:09:53
upgrade-consistency	passed	00:06:43
upgrade-consistency-sharded-tls	passed	00:54:54
upgrade-sharded	passed	00:19:59
upgrade-partial-backup	passed	00:16:15
users	passed	00:18:03
users-vault	passed	00:13:06
version-service	passed	00:25:08

Summary	Value
Tests Run	89/89
Job Duration	03:28:16
Total Test Time	25:37:43

commit: a54c432
image: perconalab/percona-server-mongodb-operator:PR-2268-a54c432f5