From 6aa9a57351d3580703e3ab2dcfa4efad4edcce53 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 14:51:22 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 5 workflows

Pins the default GITHUB_TOKEN to contents: read on the workflows in
.github/workflows/ that don't call a GitHub API beyond the initial
checkout. The other workflows in this directory are left implicit
because they need write scopes that a maintainer is better placed
to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/protocol.yml    | 3 +++
 .github/workflows/ruby-macos.yaml | 3 +++
 .github/workflows/ruby.yml        | 3 +++
 .github/workflows/test_test.yml   | 3 +++
 .github/workflows/truffleruby.yml | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/.github/workflows/protocol.yml b/.github/workflows/protocol.yml
index fb9c3b204..666ab4375 100644
--- a/.github/workflows/protocol.yml
+++ b/.github/workflows/protocol.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
diff --git a/.github/workflows/ruby-macos.yaml b/.github/workflows/ruby-macos.yaml
index 6e4d6bc06..e48eeb2cf 100644
--- a/.github/workflows/ruby-macos.yaml
+++ b/.github/workflows/ruby-macos.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index 2666dc282..f53c61da7 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
diff --git a/.github/workflows/test_test.yml b/.github/workflows/test_test.yml
index f4339bf35..72e31affb 100644
--- a/.github/workflows/test_test.yml
+++ b/.github/workflows/test_test.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
diff --git a/.github/workflows/truffleruby.yml b/.github/workflows/truffleruby.yml
index 2d05d2ce7..a3ec885bd 100644
--- a/.github/workflows/truffleruby.yml
+++ b/.github/workflows/truffleruby.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   truffleruby:
     runs-on: ubuntu-latest