From 418aeef419b298d3165a74725e5dbae65a137461 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Sat, 16 May 2026 09:06:18 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 3 workflows

Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/check-links-periodic.yaml | 3 +++
 .github/workflows/check-links-pr.yaml       | 4 ++++
 .github/workflows/test.yml                  | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/check-links-periodic.yaml b/.github/workflows/check-links-periodic.yaml
index 524b453..426e64e 100644
--- a/.github/workflows/check-links-periodic.yaml
+++ b/.github/workflows/check-links-periodic.yaml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: "0 0,12 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check-links-pr.yaml b/.github/workflows/check-links-pr.yaml
index f467cdd..418eed7 100644
--- a/.github/workflows/check-links-pr.yaml
+++ b/.github/workflows/check-links-pr.yaml
@@ -1,5 +1,9 @@
 on: [pull_request]
 name: Check Markdown links in modified files
+
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ec1f46d..0637e6b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   pytest:
     runs-on: ubuntu-latest