Potential fix for code scanning alert no. 50: Workflow does not contain permissions

[wforney]

Potential fix for https://github.com/improvgroup/sharedcode/security/code-scanning/50

To fix the issue, we will add a permissions block to the root of the workflow and to individual jobs where necessary. This ensures that each job has the minimum required permissions for its tasks. For example:

• The test job does not require any write permissions, so it will be limited to contents: read.
• The semantic-release job requires write permissions for contents to create tags and releases.
• The github-publish and nuget-publish jobs require packages: write to push packages.

We will add these permissions explicitly to the workflow and jobs.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull Request Overview

This PR adds explicit permissions blocks at the workflow root and for individual jobs to satisfy code scanning alert no. 50 by granting only the minimum required permissions.

• Introduces a root-level permissions block with contents: read
• Specifies job-level permissions for test, semantic-release, GitHub publish, and NuGet publish jobs
• Limits each job to only the permissions needed for its tasks

Comments suppressed due to low confidence (3)

.github/workflows/release.yml:14

• The permissions block for the test job duplicates the root-level contents: read. You can remove this block to reduce redundancy since jobs inherit root permissions.

    permissions:

.github/workflows/release.yml:65

• [nitpick] The job name "Publish to Github" should use the correct capitalization of the GitHub brand ("GitHub").

      name: Publish to Github

.github/workflows/release.yml:85

• [nitpick] The job name "Publish to Nuget" should use the correct branding capitalization ("NuGet").

      name: Publish to Nuget