ci: declare workflow-level contents: read on 6 workflows

arpitjain099 · ytmimi · commit 348794e6bc9b · 2026-05-21T23:12:09.000-04:00
Pins the default GITHUB_TOKEN to contents: read on the workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout. The other workflows in this directory are left implicit because they need write scopes that a maintainer is better placed to declare. Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow caps bound runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and are credited per-file by the OpenSSF Scorecard Token-Permissions check. YAML validated locally with yaml.safe_load. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
diff --git a/.github/workflows/check_diff.yml b/.github/workflows/check_diff.yml
@@ -33,6 +33,9 @@ on:
         description: 'Optional comma separated list of rustfmt config options to pass when running the feature branch'
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   diff_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   integration-tests:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/virtual-environments-for-github-hosted-runners#supported-runners-and-hardware-resources
diff --git a/.github/workflows/rustdoc_check.yml b/.github/workflows/rustdoc_check.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   rustdoc_check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -5,6 +5,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: windows-latest
