From ce06074d810b15ccc41734bb9b1b8063d339aa7f Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 14:47:40 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 6 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/validate-android.yml | 3 +++
 .github/workflows/validate-cpp.yml     | 3 +++
 .github/workflows/validate-js.yml      | 3 +++
 .github/workflows/validate-swiftpm.yml | 3 +++
 .github/workflows/validate-tests.yml   | 3 +++
 .github/workflows/validate-website.yml | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/validate-android.yml b/.github/workflows/validate-android.yml
index dff4fb52b1..83faa9c086 100644
--- a/.github/workflows/validate-android.yml
+++ b/.github/workflows/validate-android.yml
@@ -8,6 +8,9 @@ on:
       - 'release-*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build [${{ matrix.os }}][${{ matrix.mode }}]
diff --git a/.github/workflows/validate-cpp.yml b/.github/workflows/validate-cpp.yml
index 666c11957f..3d7cbe56cf 100644
--- a/.github/workflows/validate-cpp.yml
+++ b/.github/workflows/validate-cpp.yml
@@ -11,6 +11,9 @@ on:
 env:
   GTEST_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build and Test [${{ matrix.toolchain }}][${{ matrix.mode }}]
diff --git a/.github/workflows/validate-js.yml b/.github/workflows/validate-js.yml
index ea50bdeb48..dd70663bcd 100644
--- a/.github/workflows/validate-js.yml
+++ b/.github/workflows/validate-js.yml
@@ -11,6 +11,9 @@ on:
 env:
   FORCE_COLOR: 3
 
+permissions:
+  contents: read
+
 jobs:
   benchmark:
     name: Benchmark [${{ matrix.os }}]
diff --git a/.github/workflows/validate-swiftpm.yml b/.github/workflows/validate-swiftpm.yml
index 844825e064..3f3a0ab39f 100644
--- a/.github/workflows/validate-swiftpm.yml
+++ b/.github/workflows/validate-swiftpm.yml
@@ -8,6 +8,9 @@ on:
       - 'release-*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build
diff --git a/.github/workflows/validate-tests.yml b/.github/workflows/validate-tests.yml
index 2ca0c39894..d3efeb6b19 100644
--- a/.github/workflows/validate-tests.yml
+++ b/.github/workflows/validate-tests.yml
@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate
diff --git a/.github/workflows/validate-website.yml b/.github/workflows/validate-website.yml
index 667ada0682..9ef7d0ceb7 100644
--- a/.github/workflows/validate-website.yml
+++ b/.github/workflows/validate-website.yml
@@ -9,6 +9,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build_next:
     name: Build