Add explicit permissions to GitHub Actions workflow

[Copilot]

GitHub is changing the default Actions workflow permissions to read-only on December 9. This workflow commits and pushes generated documentation but lacks explicit permission declarations.

Changes

• Added permissions: contents: write at workflow level in .github/workflows/node.js.yml

The workflow requires write access to commit generated README.md, bower.json, and package.json files:

on:
  schedule:
    - cron: "0 8 * * *"
  workflow_dispatch:

permissions:
  contents: write

jobs:
  build:
    runs-on: ubuntu-latest

This is the minimal permission required for the workflow's git commit/push operations.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Action Needed: Missing Workflow Permissions in github/github-elements</issue_title>
<issue_description>### Contributors Notice

Contributors @github/primer-reviewers:
You are receiving this notification because you own or have recently contributed to github/github-elements or are among the top contributors visible to the security automation. This repository is access-restricted, so ownership metadata could not be fully determined. You’re tagged here to help ensure the team is aware of and prepared for the upcoming workflow permissions changes.

---

⚠️ Missing Workflow Permissions — Action Required

This repository (github/github-elements) was flagged during the workflow permissions reduction fanout as part of:

• https://github.com/github/security-services/discussions/465
• https://thehub.github.com/news/2025-11-20-workflow-permissions-default-change/

We were unable to create a PR or Issue directly in your repository due to restricted permissions.
Therefore, this notification is being created here in prodsec-engineering.

---

🔍 Alert Details

Repository: github/github-elements
Alert: https://github.com/github/github-elements/security/code-scanning/1
Reason: unknown

Ownership discovery: ownership-name: @github/primer-reviewers

---

📝 What you need to do before December 5th

GitHub is changing the default Actions workflow permissions to read-only on December 9.

If any workflow in github/github-elements requires write permissions and doesn’t explicitly declare them, it may fail once the change takes effect.

Please complete the following on or before December 5th:

1. Review the affected alert(s) linked above
2. Inspect and update your workflow files to explicitly define required permissions
3. Confirm your workflows still function after making changes
4. (Optional) Reduce permissions further — we encourage least privilege

---

GitHub Copilot Assignment Prompts

Copilot Suggestions (if applicable)

Copilot Autofix suggests a permissions fix:

• Review the suggested changes
• If safe and not workflow-breaking, feel free to apply them
• Ensure the workflow still runs correctly
• Merge the PR to resolve the alert

We are also adding prompts to make this issue more easily assignable to Copilot:

For GitHub Copilot:

Task: Add explicit permissions to GitHub Actions workflow files that are currently missing them.

Scope: Update the workflow files listed above to include appropriate permissions: blocks.

Analysis Methodology:

1. Gather Current State: Check if the workflow has any existing permissions defined
2. Inventory Workflow Actions:
   • Actions performed directly by the workflow
   • API calls made by the workflow
   • External actions included via uses: statements
3. Determine Required Permissions: Map each action to its minimum required permissions
4. Synthesize Minimal Permissions: Create permissions block with only necessary permissions

Requirements:

1. Add a permissions: block to each workflow file that doesn't have one
2. Start with contents: read as the minimum permission
3. Add additional permissions only if the workflow actually needs them based on the actions it performs
4. Place the permissions: block at the job level or workflow level as appropriate
5. Ensure the syntax is correct and follows YAML formatting
6. Maintain existing content formatting, including indentation and comments

Files to modify: See the list of affected workflow files above.

Acceptance criteria:

• All listed workflow files have explicit permissions defined
• Permissions follow the principle of least privilege
• YAML syntax is valid
• Workflows still function correctly after changes

Copilot Instructions:

Please create a pull request that adds appropriate permissions: blocks to each of the workflow files listed above. Analyze each workflow to determine the minimum permissions required based on the actions it performs, and add only those necessary permissions.

Need help?
Message us in #prodsec-engineering Slack
https://github-grid.enterprise.slack.com/archives/C05NT4Y6WSC

Or directly ping @cinderellasecure or @misfir3

---

👥 Contributors

@github/primer-reviewers

If this should go to a different team, please reassign accordingly.

---

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes github/prodsec-engineering#932

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR adds explicit permissions: contents: write to the GitHub Actions workflow in preparation for GitHub's default permission change to read-only on December 9, 2025. The workflow generates and commits documentation files, requiring write access to the repository.

• Added workflow-level permissions declaration with contents: write

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.