ci: declare workflow-level contents: read on 6 workflows

[arpitjain099]

Pins the default GITHUB_TOKEN to contents: read on 6 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e7bdcefd-a45e-4438-8f3e-aee8ba27d36a

📥 Commits

Reviewing files that changed from the base of the PR and between 1181df0 and 6b18b3e.

📒 Files selected for processing (6)

• .github/workflows/license-header-check.yml
• .github/workflows/lint.yml
• .github/workflows/snyk-scan-edge-npm-pr.yml
• .github/workflows/snyk-scan-npm-pr.yml
• .github/workflows/yarn-scan-cypress-pr.yml
• .github/workflows/yarn-scan-pr.yml

---

Walkthrough

Six GitHub Actions workflows receive explicit top-level permissions declarations, each setting contents: read to restrict the GitHub token to read-only repository access. The changes apply consistently across Snyk NPM, Snyk Edge NPM, Yarn, License Header, and Lint workflows without modifying job or step logic.

Changes

GitHub Actions Token Permissions Hardening

Layer / File(s)	Summary
Restrict token permissions to read contents .github/workflows/snyk-scan-npm-pr.yml, .github/workflows/yarn-scan-cypress-pr.yml, .github/workflows/license-header-check.yml, .github/workflows/yarn-scan-pr.yml, .github/workflows/lint.yml, .github/workflows/snyk-scan-edge-npm-pr.yml	All six workflows add a top-level permissions block explicitly restricting GitHub token access to contents: read.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding workflow-level contents: read permissions to 6 workflows.
Description check	✅ Passed	The description is directly related to the changeset, explaining the security rationale behind adding workflow-level permissions and referencing CVE-2025-30066.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lukaszgryglicki]

/lgtm

[arpitjain099]

@lukaszgryglicki - approved + green. Mergeable when you have a moment, thanks!