From 6b18b3ea4580642e671bd02989837e622c7000c3 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 15:02:10 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 6 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/license-header-check.yml  | 3 +++
 .github/workflows/lint.yml                  | 3 +++
 .github/workflows/snyk-scan-edge-npm-pr.yml | 3 +++
 .github/workflows/snyk-scan-npm-pr.yml      | 3 +++
 .github/workflows/yarn-scan-cypress-pr.yml  | 3 +++
 .github/workflows/yarn-scan-pr.yml          | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/license-header-check.yml b/.github/workflows/license-header-check.yml
index 1cf250c4..ff9c5831 100644
--- a/.github/workflows/license-header-check.yml
+++ b/.github/workflows/license-header-check.yml
@@ -12,6 +12,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   license-header-check:
     name: License Header Check
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 6e7e934b..989893b5 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,6 +11,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snyk-scan-edge-npm-pr.yml b/.github/workflows/snyk-scan-edge-npm-pr.yml
index 883a6366..daef2b3e 100644
--- a/.github/workflows/snyk-scan-edge-npm-pr.yml
+++ b/.github/workflows/snyk-scan-edge-npm-pr.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   snyk-scan-edge-npm-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/snyk-scan-npm-pr.yml b/.github/workflows/snyk-scan-npm-pr.yml
index 3c7a0c63..be2cdb18 100644
--- a/.github/workflows/snyk-scan-npm-pr.yml
+++ b/.github/workflows/snyk-scan-npm-pr.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   snyk-scan-npm-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/yarn-scan-cypress-pr.yml b/.github/workflows/yarn-scan-cypress-pr.yml
index 0f344084..c49d3c49 100644
--- a/.github/workflows/yarn-scan-cypress-pr.yml
+++ b/.github/workflows/yarn-scan-cypress-pr.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-cypress-pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/yarn-scan-pr.yml b/.github/workflows/yarn-scan-pr.yml
index bc72b88c..bc0cf755 100644
--- a/.github/workflows/yarn-scan-pr.yml
+++ b/.github/workflows/yarn-scan-pr.yml
@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   yarn-scan-pr:
     runs-on: ubuntu-latest