ci: declare contents:read on test workflow

[arpitjain099]

Adds a workflow-level permissions: contents: read block. The job here only checks out the repository and runs its tests / validation; no GitHub API call beyond the initial checkout is needed.

CVE-2025-30066 (the March 2025 tj-actions/changed-files supply-chain compromise) is the canonical motivation: a tampered third-party action exfiltrated GITHUB_TOKEN from workflow logs and the leaked token retained whatever scope was issued at the workflow level. Per-workflow caps bound that runtime authority irrespective of repo or org default, give drift protection if the default ever widens, and register with OpenSSF Scorecard's Token-Permissions check (which only credits explicit per-workflow declarations).

YAML validated locally with yaml.safe_load.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 0f3c3b97-12ef-4ed8-a206-87f8ffff48fd

📥 Commits

Reviewing files that changed from the base of the PR and between d796ff5 and 76897f4.

📒 Files selected for processing (1)

• .github/workflows/test.yml

---

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions configuration for improved security practices.

Walkthrough

The pull request adds a workflow-level permissions block to .github/workflows/test.yml, restricting the GitHub Actions token to read-only access for repository contents. This is a security-hardening change that reduces the exposure of the workflow run's permissions.

Changes

CI Workflow Permissions

Layer / File(s)	Summary
Workflow permissions restriction .github/workflows/test.yml	Adds explicit permissions: contents: read block to the workflow, restricting token access scope to read-only operations on repository contents.

---

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding workflow-level contents:read permissions to the test workflow.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation (CVE-2025-30066), the security rationale for explicit permission scoping, and confirming YAML validation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}