From 8fb72b1b83f460167f0431cf35511a98fe018380 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 08:11:14 +0900
Subject: [PATCH 1/2] ci: declare workflow-level contents: read on ci and lint

Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml   | 3 +++
 .github/workflows/lint.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b85a45c1bb..073fcf0589 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,9 @@ on: [pull_request, push, workflow_dispatch]
 env:
   FORCE_COLOR: 1
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Check build, markup, and links
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4622f995aa..c83cb57a54 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

From 427852d8dd8110b62826cd480a881dee3fee8504 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 18:59:32 +0900
Subject: [PATCH 2/2] ci: tighten to permissions: {} per hugovk review

Per @hugovk on #1811: drop `contents: read` to deny-all `permissions: {}`. Both workflows only run `actions/checkout` against a public repo (which falls back to unauthenticated clone with no token scope) plus python/uv/pre-commit setup, none of which call the GitHub API.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml   | 3 +--
 .github/workflows/lint.yml | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 073fcf0589..723151d189 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,8 +5,7 @@ on: [pull_request, push, workflow_dispatch]
 env:
   FORCE_COLOR: 1
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   test:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c83cb57a54..6519953670 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,8 +2,7 @@ name: Lint
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   lint: