From 9b7c099b3bfe59d0abf66ce06100bfe30b4b26e1 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 14:42:40 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 8 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/code-style-checks.yml | 3 +++
 .github/workflows/gpu-hvd-tests.yml     | 3 +++
 .github/workflows/gpu-tests.yml         | 3 +++
 .github/workflows/hvd-tests.yml         | 3 +++
 .github/workflows/mps-tests.yml         | 3 +++
 .github/workflows/tpu-tests.yml         | 3 +++
 .github/workflows/typing-checks.yml     | 3 +++
 .github/workflows/unit-tests.yml        | 3 +++
 8 files changed, 24 insertions(+)

diff --git a/.github/workflows/code-style-checks.yml b/.github/workflows/code-style-checks.yml
index 616add9d8fb3..fa80e316a7fd 100644
--- a/.github/workflows/code-style-checks.yml
+++ b/.github/workflows/code-style-checks.yml
@@ -38,6 +38,9 @@ concurrency:
   group: code-style-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   code-style:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gpu-hvd-tests.yml b/.github/workflows/gpu-hvd-tests.yml
index bdab69a5be3f..eb92dfe15fca 100644
--- a/.github/workflows/gpu-hvd-tests.yml
+++ b/.github/workflows/gpu-hvd-tests.yml
@@ -17,6 +17,9 @@ concurrency:
 
 # Cherry-picked from https://github.com/pytorch/test-infra/blob/main/.github/workflows/linux_job.yml
 
+permissions:
+  contents: read
+
 jobs:
   gpu-hvd-tests:
     strategy:
diff --git a/.github/workflows/gpu-tests.yml b/.github/workflows/gpu-tests.yml
index 228ac28814a1..9ee03a1ad8df 100644
--- a/.github/workflows/gpu-tests.yml
+++ b/.github/workflows/gpu-tests.yml
@@ -17,6 +17,9 @@ concurrency:
 
 # Cherry-picked from https://github.com/pytorch/test-infra/blob/main/.github/workflows/linux_job_v2.yml
 
+permissions:
+  contents: read
+
 jobs:
   gpu-tests:
     strategy:
diff --git a/.github/workflows/hvd-tests.yml b/.github/workflows/hvd-tests.yml
index 9fdc9092f0a5..ac26a59a89a7 100644
--- a/.github/workflows/hvd-tests.yml
+++ b/.github/workflows/hvd-tests.yml
@@ -23,6 +23,9 @@ concurrency:
   group: hvd-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   horovod-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mps-tests.yml b/.github/workflows/mps-tests.yml
index 7cc0317e5173..024bece12485 100644
--- a/.github/workflows/mps-tests.yml
+++ b/.github/workflows/mps-tests.yml
@@ -29,6 +29,9 @@ concurrency:
 # - https://github.com/pytorch/vision/blob/main/.github/workflows/tests.yml
 # - https://github.com/pytorch/test-infra/blob/main/.github/workflows/macos_job.yml
 
+permissions:
+  contents: read
+
 jobs:
   mps-tests:
     strategy:
diff --git a/.github/workflows/tpu-tests.yml b/.github/workflows/tpu-tests.yml
index e22a71693860..84f97bc122ea 100644
--- a/.github/workflows/tpu-tests.yml
+++ b/.github/workflows/tpu-tests.yml
@@ -24,6 +24,9 @@ concurrency:
   group: tpu-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tpu-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/typing-checks.yml b/.github/workflows/typing-checks.yml
index ad14c286d35d..ab15123281ce 100644
--- a/.github/workflows/typing-checks.yml
+++ b/.github/workflows/typing-checks.yml
@@ -30,6 +30,9 @@ concurrency:
   group: typing-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   pyrefly:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index bd581a88eb84..d1ee2a9fe982 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -31,6 +31,9 @@ concurrency:
   group: unit-tests-${{ github.ref_name }}-${{ !(github.ref_protected) || github.sha }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   cpu-tests:
     runs-on: ${{ matrix.os }}