From be97020dea2f967e1e3ddfb29ecb3d248c44b779 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Mon, 25 May 2026 12:19:51 +0900 Subject: [PATCH] ci: declare workflow-level contents: read on go/python/java/typescript test workflows Four per-language test workflows just run their language test suites; no GitHub API writes from the workflows themselves. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated. Signed-off-by: Arpit Jain --- .github/workflows/go_tests.yml | 3 +++ .github/workflows/java_tests.yml | 3 +++ .github/workflows/python_tests.yml | 3 +++ .github/workflows/typescript_tests.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/go_tests.yml b/.github/workflows/go_tests.yml index 61c26be9cee3..81a518d054ec 100644 --- a/.github/workflows/go_tests.yml +++ b/.github/workflows/go_tests.yml @@ -34,6 +34,9 @@ on: concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: [self-hosted, ubuntu-24.04, main] diff --git a/.github/workflows/java_tests.yml b/.github/workflows/java_tests.yml index eedb1b102980..76f9d23b2d70 100644 --- a/.github/workflows/java_tests.yml +++ b/.github/workflows/java_tests.yml @@ -38,6 +38,9 @@ env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }} GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }} +permissions: + contents: read + jobs: java_unit_tests: name: 'Java Unit Tests' diff --git a/.github/workflows/python_tests.yml b/.github/workflows/python_tests.yml index 6740b45c7956..1d7fc99fa08f 100644 --- a/.github/workflows/python_tests.yml +++ b/.github/workflows/python_tests.yml @@ -36,6 +36,9 @@ concurrency: group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.event.pull_request.head.label || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.comment.id || github.event.sender.login}}' cancel-in-progress: true +permissions: + contents: read + jobs: check_gcp_variables: diff --git a/.github/workflows/typescript_tests.yml b/.github/workflows/typescript_tests.yml index 9bc352379913..1233aa33af4a 100644 --- a/.github/workflows/typescript_tests.yml +++ b/.github/workflows/typescript_tests.yml @@ -44,6 +44,9 @@ concurrency: cancel-in-progress: true env: DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} +permissions: + contents: read + jobs: typescript_unit_tests: name: 'TypeScript Unit Tests'