From 315eaf57f29f0df98232c7054882ef66a91ab20d Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Mon, 18 May 2026 09:38:15 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 1 workflows

Pins the default GITHUB_TOKEN to contents: read on workflows that don't
call a GitHub API beyond the initial checkout. Other workflows that need
write scopes are left implicit for a maintainer to declare.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection, and are credited per-file by the OpenSSF
Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/pytest-optional.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pytest-optional.yml b/.github/workflows/pytest-optional.yml
index e2968438e12..29b3dbf8b0f 100644
--- a/.github/workflows/pytest-optional.yml
+++ b/.github/workflows/pytest-optional.yml
@@ -15,6 +15,9 @@ concurrency:
   # Cancel only PR intermediate builds.
   cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
 
+permissions:
+  contents: read
+
 jobs:
   activate-tests:
     name: Check whether we should run tests or not