From d5a4bce17f1a7004a20d2a2b0fa56747e1fd8993 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 14:46:37 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 6 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci-main.yml                       | 3 +++
 .github/workflows/ci-pull-request.yml               | 3 +++
 .github/workflows/docker-build-arm.yml              | 3 +++
 .github/workflows/integration-test-library-mode.yml | 3 +++
 .github/workflows/retriever-unit-tests.yml          | 3 +++
 .github/workflows/scheduled-nightly.yml             | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 795237f7ba..f1abe39f91 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   # Pre-commit checks
   pre-commit:
diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml
index e179403401..80ae959f06 100644
--- a/.github/workflows/ci-pull-request.yml
+++ b/.github/workflows/ci-pull-request.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # Fast pre-commit checks (runs first)
   pre-commit:
diff --git a/.github/workflows/docker-build-arm.yml b/.github/workflows/docker-build-arm.yml
index 5cf05fd587..fde9dff648 100644
--- a/.github/workflows/docker-build-arm.yml
+++ b/.github/workflows/docker-build-arm.yml
@@ -4,6 +4,9 @@ on:
   # Manual-only: arm64 builds run in scheduled nightly workflow.
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: linux-large-disk
diff --git a/.github/workflows/integration-test-library-mode.yml b/.github/workflows/integration-test-library-mode.yml
index cff1055669..840aa89968 100644
--- a/.github/workflows/integration-test-library-mode.yml
+++ b/.github/workflows/integration-test-library-mode.yml
@@ -16,6 +16,9 @@ on:
         type: string
         default: ''
 
+permissions:
+  contents: read
+
 jobs:
   integration-test:
     name: Integration Tests (${{ matrix.os-label }})
diff --git a/.github/workflows/retriever-unit-tests.yml b/.github/workflows/retriever-unit-tests.yml
index 87474405a3..05d066f842 100644
--- a/.github/workflows/retriever-unit-tests.yml
+++ b/.github/workflows/retriever-unit-tests.yml
@@ -8,6 +8,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   retriever-unit-tests:
     name: Run Retriever Unit Tests
diff --git a/.github/workflows/scheduled-nightly.yml b/.github/workflows/scheduled-nightly.yml
index 6f2bed65e4..eb48448781 100644
--- a/.github/workflows/scheduled-nightly.yml
+++ b/.github/workflows/scheduled-nightly.yml
@@ -17,6 +17,9 @@ on:
         type: boolean
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   # Generate version for all nightly builds
   determine-version: