Fix for code scanning alert no. 1: Workflow does not contain permissions

[admdly]

Potential fix for https://github.com/FOSSBilling/example-module/security/code-scanning/1

In general, the fix is to explicitly define a permissions: block that grants only the minimal required access to the GITHUB_TOKEN. For this workflow, both jobs only need to read repository contents and tags/releases. They do not need to push commits, modify PRs, or interact with issues. Therefore, contents: read is sufficient for the entire workflow.

The best fix without changing functionality is to add a root‑level permissions: block (so it applies to all jobs) directly under the name: or on: section in .github/workflows/php-ci.yml. Set it to contents: read, which mirrors the minimal suggested by CodeQL. There is no evidence that other scopes (like pull-requests or issues) are needed, and none of the used actions document a requirement for write permissions in this use case. No additional methods, imports, or definitions are needed, since this is purely a YAML configuration change to the workflow file.

Concretely:

• Edit .github/workflows/php-ci.yml.
• Insert:

permissions:
  contents: read

near the top of the file at workflow scope, e.g., after the on: block (or directly after name:; either is valid). This will ensure both phpstan and phpstan-release jobs run with a read‑only GITHUB_TOKEN, resolving the CodeQL finding.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.