Declare permissions

Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.

.github/workflows/go-tests.yml

@@ -15,8 +15,13 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
+
 env:
   GO_VERSION: '~1.21.0'
+
+permissions:
+  contents: read
+
 jobs:
   test-linux:
     if: github.repository_owner == 'github'