ci: declare workflow-level contents: read on the 17 build/test workflows (a2ui-project#1445)

arpitjain099 · web-flow · commit 15c3bc8ef0d7 · 2026-05-15T14:50:10.000-07:00
Pins the default GITHUB_TOKEN to contents: read on every workflow in
.github/workflows/.
diff --git a/.github/workflows/check_license.yml b/.github/workflows/check_license.yml
@@ -20,6 +20,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-license:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/check_private_index.yml b/.github/workflows/check_private_index.yml
@@ -18,6 +18,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-for-private-index:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/composer_build_and_test.yml b/.github/workflows/composer_build_and_test.yml
@@ -28,6 +28,9 @@ on:
       - "renderers/web_core/**"
       - ".github/workflows/composer_build_and_test.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e_test.yaml b/.github/workflows/e2e_test.yaml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "0 0 * * *" # daily
 
+permissions:
+  contents: read
+
 jobs:
   e2e_test:
     # Do not run on forked branches,
diff --git a/.github/workflows/editor_build.yml b/.github/workflows/editor_build.yml
@@ -28,6 +28,9 @@ on:
       - "renderers/web_core/**"
       - ".github/workflows/editor_build.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/enforce-formatting.yml b/.github/workflows/enforce-formatting.yml
@@ -19,6 +19,9 @@ on:
     branches: [main]
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   enforce-formatting:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/flutter_packages_test.yaml b/.github/workflows/flutter_packages_test.yaml
@@ -31,6 +31,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/inspector_build.yml b/.github/workflows/inspector_build.yml
@@ -29,6 +29,9 @@ on:
       - "renderers/web_core/**"
       - ".github/workflows/inspector_build.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/kotlin_agent_sdk_build_and_test.yml b/.github/workflows/kotlin_agent_sdk_build_and_test.yml
@@ -28,6 +28,9 @@ on:
       - "specification/**/json/**"
       - "agent_sdks/conformance/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lit_build_and_test.yml b/.github/workflows/lit_build_and_test.yml
@@ -27,6 +27,9 @@ on:
       - "renderers/web_core/**"
       - ".github/workflows/lit_build_and_test.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lit_samples_build.yml b/.github/workflows/lit_samples_build.yml
@@ -23,6 +23,9 @@ on:
     paths-ignore:
       - "samples/agent/adk/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ng_build_and_test.yml b/.github/workflows/ng_build_and_test.yml
@@ -23,6 +23,9 @@ on:
     paths-ignore:
       - "samples/agent/adk/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/python_agent_sdk_build_and_test.yml b/.github/workflows/python_agent_sdk_build_and_test.yml
@@ -28,6 +28,9 @@ on:
       - "specification/**/json/**"
       - "agent_sdks/conformance/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/python_samples_build.yml b/.github/workflows/python_samples_build.yml
@@ -28,6 +28,9 @@ on:
       - "agent_sdks/python/**"
       - "specification/**/json/**"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build samples
diff --git a/.github/workflows/react_renderer.yml b/.github/workflows/react_renderer.yml
@@ -29,6 +29,9 @@ on:
       - "renderers/lit/**"
       - "samples/agent/adk/**"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate_specifications.yml b/.github/workflows/validate_specifications.yml
@@ -27,6 +27,9 @@ on:
       - ".github/workflows/validate_specifications.yml"
       - "specification/scripts/validate.py"
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/web_build_and_test.yml b/.github/workflows/web_build_and_test.yml
@@ -25,6 +25,9 @@ on:
       - "renderers/web_core/**/*"
       - ".github/workflows/web_build_and_test.yml"
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
