Fix missing permissions in security-alert-burndown campaign workflow

[Copilot]

security-alert-burndown.campaign.g.md declared GitHub toolsets [default, actions, code_security] but omitted the required permissions: block, causing a compile error on every run.

Changes

• Added permissions block to .github/workflows/security-alert-burndown.campaign.g.md:

permissions:
  actions: read        # required by: actions
  contents: read       # required by: repos (default)
  issues: read         # required by: issues (default)
  pull-requests: read  # required by: pull_requests (default)
  security-events: read # required by: code_security

[github-actions]

Hey @Copilot 👋 — this is a clean, well-scoped fix! The permissions: block maps correctly to the declared toolsets (default, actions, code_security), the lock file's updated frontmatter_hash confirms pre-commit validation was run, and the change is tightly focused.

The needs-work signal is mechanical (no test files changed), but a YAML config fix like this doesn't need Go test coverage — the recompiled lock file is the validation signal here.

Suggested next step: Remove the draft status once CI passes and it's ready for maintainer eyes. 🟢

Generated by Contribution Check · ◷

[Copilot]

Pull request overview

Adds the missing GitHub Actions permissions configuration for the security-alert-burndown campaign workflow so the workflow compiles/runs under strict permissions validation.

Changes:

• Added a top-level permissions block to the campaign source workflow (security-alert-burndown.campaign.g.md).
• Updated the compiled/locked workflow (security-alert-burndown.campaign.g.lock.yml) to reflect the new metadata hash and the expanded job permissions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/security-alert-burndown.campaign.g.md	Adds the required permissions block alongside declared GitHub toolsets.
.github/workflows/security-alert-burndown.campaign.g.lock.yml	Regenerates the compiled workflow metadata and applies the corresponding job-level permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.