From 2e758811840f0903131ff98f0b64115443aebc4e Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Mon, 25 May 2026 12:14:12 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on 4 check workflows Four workflows (code-quality, unit-tests, visual-regression-tests, build-health-checkup) just run checks and tests; no GitHub API writes from the workflows. Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/build-health-checkup.yml | 3 +++ .github/workflows/code-quality.yml | 3 +++ .github/workflows/unit-tests.yml | 3 +++ .github/workflows/visual-regression-tests.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/build-health-checkup.yml b/.github/workflows/build-health-checkup.yml index c127f55d1..bef5876ae 100644 --- a/.github/workflows/build-health-checkup.yml +++ b/.github/workflows/build-health-checkup.yml @@ -10,6 +10,9 @@ on: env: HUSKY: 0 +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 7c98863ec..f30e62c93 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -7,6 +7,9 @@ on: env: HUSKY: 0 +permissions: + contents: read + jobs: code-quality-checks: runs-on: ubuntu-latest diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 87e4109be..e829f64ff 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -7,6 +7,9 @@ on: env: HUSKY: 0 +permissions: + contents: read + jobs: unit-tests: runs-on: ubuntu-latest diff --git a/.github/workflows/visual-regression-tests.yml b/.github/workflows/visual-regression-tests.yml index 48cc2b4a8..020e17d81 100644 --- a/.github/workflows/visual-regression-tests.yml +++ b/.github/workflows/visual-regression-tests.yml @@ -7,6 +7,9 @@ on: env: HUSKY: 0 +permissions: + contents: read + jobs: visual-regression: runs-on: ubuntu-latest