Potential fix for code scanning alert no. 644: Shell command built from environment values (#34)

* Potential fix for code scanning alert no. 644: Shell command built from environment values

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 678: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 667: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 655: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 649: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 643: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 641: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: vinod0m

.github/workflows/gosec.yml

@@ -1,6 +1,8 @@
 # GoSec Security Checker
 # This workflow runs gosec to check Go code for security issues
 name: GoSec Security Checker
+permissions:
+  contents: read
 
 on:
   push:

.github/workflows/markdownlint.yml

@@ -1,6 +1,8 @@
 # Markdown Lint
 # This workflow runs markdownlint on all Markdown files in the repository
 name: Markdown Lint
+permissions:
+  contents: read
 
 on:
   push:

.github/workflows/metrics.yml

@@ -1,6 +1,8 @@
 # GitHub Metrics
 # This workflow generates a metrics SVG and commits it to the repository
 name: Metrics Embed
+permissions:
+  contents: write
 
 on:
   schedule: [{cron: "0 0 * * 0"}] # every week

.github/workflows/pylint.yml

@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Pylint
 
 on: [push]

.github/workflows/python-docs.yml

@@ -1,6 +1,8 @@
 # Python Auto Documentation
 # This workflow auto-generates documentation using Sphinx
 name: Python Auto Documentation
+permissions:
+  contents: read
 
 on:
   push:

.github/workflows/python-style.yml

@@ -1,6 +1,8 @@
 # Python Style Check
 # This workflow checks Python code style using flake8
 name: Python Style Check
+permissions:
+  contents: read
 
 on:
   push:

build/azure-pipelines/publish-types/update-types.ts

@@ -16,7 +16,7 @@ try {
 
 	const dtsUri = `https://raw.githubusercontent.com/microsoft/vscode/${tag}/src/vscode-dts/vscode.d.ts`;
 	const outPath = path.resolve(process.cwd(), 'DefinitelyTyped/types/vscode/index.d.ts');
-	cp.execSync(`curl ${dtsUri} --output ${outPath}`);
+	cp.execFileSync('curl', [dtsUri, '--output', outPath]);
 
 	updateDTSFile(outPath, tag);