From c7b7e5cbecdfffe14e47b0c5c2cdc3423480a8a4 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 07:46:20 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 6 test/lint
 workflows

Pins the default GITHUB_TOKEN to contents: read on the 6 workflows in
.github/workflows/ that don't actually need any write scope:

- c-check.yml: C-extension build check.
- milestone.yml: PR milestone enforcer. The github-script step only
  reads context.payload.pull_request and calls core.setFailed /
  core.info; no github.rest.* API call.
- ruby.yml: Ruby test matrix.
- rust.yml: Rust parser build.
- typecheck.yml: steep typecheck.
- windows.yml: Windows test job.

bundle-update.yml and comments.yml are intentionally left implicit:

- bundle-update.yml does git push, gh pr create, gh pr merge --auto.
- comments.yml needs comment-write scope.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/c-check.yml   | 3 +++
 .github/workflows/milestone.yml | 3 +++
 .github/workflows/ruby.yml      | 3 +++
 .github/workflows/rust.yml      | 3 +++
 .github/workflows/typecheck.yml | 3 +++
 .github/workflows/windows.yml   | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/c-check.yml b/.github/workflows/c-check.yml
index d9ed0df5c4..fe09e01638 100644
--- a/.github/workflows/c-check.yml
+++ b/.github/workflows/c-check.yml
@@ -7,6 +7,9 @@ on:
   pull_request: {}
   merge_group: {}
 
+permissions:
+  contents: read
+
 jobs:
   format-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml
index f0dc278403..04151a6234 100644
--- a/.github/workflows/milestone.yml
+++ b/.github/workflows/milestone.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, edited, labeled, unlabeled, milestoned, demilestoned, synchronize]
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index 56d9ab8ec7..acb66d1e4d 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -7,6 +7,9 @@ on:
   pull_request: {}
   merge_group: {}
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: "ubuntu-latest"
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index 3df481c3ff..4fc749c03a 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -12,6 +12,9 @@ on:
 env:
   RUSTFLAGS: "-D warnings"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: cargo:test
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
index 109becfd14..30bfc80a79 100644
--- a/.github/workflows/typecheck.yml
+++ b/.github/workflows/typecheck.yml
@@ -7,6 +7,9 @@ on:
   pull_request: {}
   merge_group: {}
 
+permissions:
+  contents: read
+
 jobs:
   steep:
     runs-on: "ubuntu-latest"
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 1733e7d5e8..da184e05dc 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -7,6 +7,9 @@ on:
   pull_request: {}
   merge_group: {}
 
+permissions:
+  contents: read
+
 jobs:
   compile:
     runs-on: "windows-latest"