From 9be2bf787dc7028bf9aa0162cce767cd9e5db610 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 07:28:34 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 8 e2e/test
 workflows

Pins the default GITHUB_TOKEN to contents: read on the 8 workflows
in .github/workflows/ that don't actually need any write scope:

- e2e-kind-create.yaml, e2e-kind-decommission.yaml,
  e2e-kind-upgrades.yaml, e2e-kind-upgradessha256.yaml,
  e2e-kind-versionchecker.yaml: kind cluster e2e suites.
- nightly-smoketest.yaml: scheduled smoke test.
- templates.yaml: template-generation check, no GitHub API.
- tests.yaml: unit/integration test matrix.

update-crdb-versions.yaml is intentionally left out; it uses
peter-evans/create-pull-request which needs contents: write +
pull-requests: write. That scope is best declared by maintainers.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/e2e-kind-create.yaml         | 3 +++
 .github/workflows/e2e-kind-decommission.yaml   | 3 +++
 .github/workflows/e2e-kind-upgrades.yaml       | 3 +++
 .github/workflows/e2e-kind-upgradessha256.yaml | 3 +++
 .github/workflows/e2e-kind-versionchecker.yaml | 3 +++
 .github/workflows/nightly-smoketest.yaml       | 3 +++
 .github/workflows/templates.yaml               | 3 +++
 .github/workflows/tests.yaml                   | 3 +++
 8 files changed, 24 insertions(+)

diff --git a/.github/workflows/e2e-kind-create.yaml b/.github/workflows/e2e-kind-create.yaml
index 301829e37..3b4984868 100644
--- a/.github/workflows/e2e-kind-create.yaml
+++ b/.github/workflows/e2e-kind-create.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-kind-create:
     runs-on: ubuntu-latest-4-core
diff --git a/.github/workflows/e2e-kind-decommission.yaml b/.github/workflows/e2e-kind-decommission.yaml
index ae5e16162..9ceffa4ed 100644
--- a/.github/workflows/e2e-kind-decommission.yaml
+++ b/.github/workflows/e2e-kind-decommission.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-kind-decommission:
     runs-on: ubuntu-latest-4-core
diff --git a/.github/workflows/e2e-kind-upgrades.yaml b/.github/workflows/e2e-kind-upgrades.yaml
index b49eaa964..5a1aed64d 100644
--- a/.github/workflows/e2e-kind-upgrades.yaml
+++ b/.github/workflows/e2e-kind-upgrades.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-kind-upgrades:
     runs-on: ubuntu-latest-4-core
diff --git a/.github/workflows/e2e-kind-upgradessha256.yaml b/.github/workflows/e2e-kind-upgradessha256.yaml
index f05a472d3..9e1a311a6 100644
--- a/.github/workflows/e2e-kind-upgradessha256.yaml
+++ b/.github/workflows/e2e-kind-upgradessha256.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-kind-upgradessha256:
     runs-on: ubuntu-latest-4-core
diff --git a/.github/workflows/e2e-kind-versionchecker.yaml b/.github/workflows/e2e-kind-versionchecker.yaml
index 9621b95fa..30ac03c59 100644
--- a/.github/workflows/e2e-kind-versionchecker.yaml
+++ b/.github/workflows/e2e-kind-versionchecker.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   e2e-kind-versionchecker:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/nightly-smoketest.yaml b/.github/workflows/nightly-smoketest.yaml
index 6160106f7..dabc9c603 100644
--- a/.github/workflows/nightly-smoketest.yaml
+++ b/.github/workflows/nightly-smoketest.yaml
@@ -25,6 +25,9 @@ on:
   # allows running from the actions tab in GitHub
   workflow_dispatch: ~
 
+permissions:
+  contents: read
+
 jobs:
   smoketest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/templates.yaml b/.github/workflows/templates.yaml
index 61413b741..230600033 100644
--- a/.github/workflows/templates.yaml
+++ b/.github/workflows/templates.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   templates:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 5113c507e..1f159b918 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -24,6 +24,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     runs-on: ubuntu-latest