From 90301d9ece741f1cdfa429a2a3943d91be4f3926 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 07:42:08 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on ci + nightlies
 workflows

Pins the default GITHUB_TOKEN to contents: read on the 6 workflows in
.github/workflows/ that don't actually need any write scope:

- ci.yaml: PR/push CI suite.
- nightlies.yaml: master nightlies entry point.
- nightlies-25.2.yaml, nightlies-25.4.yaml, nightlies-26.1.yaml,
  nightlies-26.2.yaml: per-release nightly stress runs.

None call a GitHub API beyond the initial checkout.

Left implicit on purpose:

- code-cover-gen.yaml uses 'gh pr view' (needs pull-requests: read).
- nightly-code-cover.yaml passes github.token to a gh-cli step.
- code-cover-publish.yaml writes coverage results.

Those three are best declared by a maintainer who knows whether
pull-requests: read at workflow or job scope is the right shape.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yaml             | 3 +++
 .github/workflows/nightlies-25.2.yaml | 3 +++
 .github/workflows/nightlies-25.4.yaml | 3 +++
 .github/workflows/nightlies-26.1.yaml | 3 +++
 .github/workflows/nightlies-26.2.yaml | 3 +++
 .github/workflows/nightlies.yaml      | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index e063fe06f71..e676a89d0f9 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,6 +13,9 @@ on:
       - crl-release-*
       - pebble-release-*
 
+permissions:
+  contents: read
+
 jobs:
 
   # This check is required to merge PRs.
diff --git a/.github/workflows/nightlies-25.2.yaml b/.github/workflows/nightlies-25.2.yaml
index 16eaa697334..4271831a03a 100644
--- a/.github/workflows/nightlies-25.2.yaml
+++ b/.github/workflows/nightlies-25.2.yaml
@@ -8,6 +8,9 @@ on:
 env:
   BRANCH: crl-release-25.2
 
+permissions:
+  contents: read
+
 jobs:
   resolve-sha:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightlies-25.4.yaml b/.github/workflows/nightlies-25.4.yaml
index 9aadfcf7545..0606e7c12ca 100644
--- a/.github/workflows/nightlies-25.4.yaml
+++ b/.github/workflows/nightlies-25.4.yaml
@@ -8,6 +8,9 @@ on:
 env:
   BRANCH: crl-release-25.4
 
+permissions:
+  contents: read
+
 jobs:
   resolve-sha:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightlies-26.1.yaml b/.github/workflows/nightlies-26.1.yaml
index 63987a00b3d..1a40e2a5b72 100644
--- a/.github/workflows/nightlies-26.1.yaml
+++ b/.github/workflows/nightlies-26.1.yaml
@@ -8,6 +8,9 @@ on:
 env:
   BRANCH: crl-release-26.1
 
+permissions:
+  contents: read
+
 jobs:
   resolve-sha:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightlies-26.2.yaml b/.github/workflows/nightlies-26.2.yaml
index 82688fb314a..d8292866707 100644
--- a/.github/workflows/nightlies-26.2.yaml
+++ b/.github/workflows/nightlies-26.2.yaml
@@ -8,6 +8,9 @@ on:
 env:
   BRANCH: crl-release-26.2
 
+permissions:
+  contents: read
+
 jobs:
   resolve-sha:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightlies.yaml b/.github/workflows/nightlies.yaml
index 51d396a3e1e..142e36c12dd 100644
--- a/.github/workflows/nightlies.yaml
+++ b/.github/workflows/nightlies.yaml
@@ -5,6 +5,9 @@ on:
     - cron: '00 10 * * * ' # 10am UTC daily
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     strategy: