From 50db6c5e04d04fe3deb3e4d506c4a1232ce39571 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 14:46:19 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 3 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/tests-main.yml   | 3 +++
 .github/workflows/tests-manual.yml | 3 +++
 .github/workflows/tests-pr.yml     | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/tests-main.yml b/.github/workflows/tests-main.yml
index ef01bfaaf6..67a89f6306 100644
--- a/.github/workflows/tests-main.yml
+++ b/.github/workflows/tests-main.yml
@@ -24,6 +24,9 @@ env:
   GH_TOKEN_SHOP: ${{ secrets.SHOP_GH_READ_CONTENT_TOKEN }}
   DEFAULT_NODE_VERSION: '26.1.0'
 
+permissions:
+  contents: read
+
 jobs:
   main:
     name: '[Main] Node ${{ matrix.node }} in ${{ matrix.os }}'
diff --git a/.github/workflows/tests-manual.yml b/.github/workflows/tests-manual.yml
index 6f49c0f048..c469f99881 100644
--- a/.github/workflows/tests-manual.yml
+++ b/.github/workflows/tests-manual.yml
@@ -44,6 +44,9 @@ env:
   DEFAULT_NODE_VERSION: '26.1.0'
   DEFAULT_OS: 'ubuntu-latest'
 
+permissions:
+  contents: read
+
 jobs:
   manually-triggered:
     name: '[Manual] Test with Node ${{ inputs.node-version }} in ${{ inputs.os }}'
diff --git a/.github/workflows/tests-pr.yml b/.github/workflows/tests-pr.yml
index f2fac95275..cd92ccd444 100644
--- a/.github/workflows/tests-pr.yml
+++ b/.github/workflows/tests-pr.yml
@@ -18,6 +18,9 @@ env:
   GH_TOKEN_SHOP: ${{ secrets.SHOP_GH_READ_CONTENT_TOKEN }}
   DEFAULT_NODE_VERSION: '26.1.0'
 
+permissions:
+  contents: read
+
 jobs:
   type-check:
     name: 'Type check'