ci: declare workflow-level contents: read on 2 workflows

[arpitjain099]

Pins the default GITHUB_TOKEN to contents: read on 3 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

Summary by CodeRabbit

• Chores
  • Improved workflow security by configuring GitHub Actions workflow-level token permissions to read-only access for repository contents across CI pipelines. This reduces the scope of automated workflow credentials, aligning with security best practices and minimizing the potential impact of compromised workflow tokens.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d51eca3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds workflow-level permission restrictions to two GitHub Actions workflows (CI and package preview), explicitly limiting the workflow token to read-only access for repository contents.

Changes

Workflow Permission Restrictions

Layer / File(s)	Summary
Add permissions blocks to workflows .github/workflows/ci.yml, .github/workflows/pkg-pr-new.yml	CI and package preview workflows now include permissions: { contents: read } at the workflow root to restrict the default Actions token scope to read-only repository content access.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

ci

Poem

🐰 Two workflows bow with careful grace,
Read-only tokens, their rightful place,
Least-privilege hums in every trace,
No extra keys to roam the space,
A tiny hop secures the base.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main change: adding workflow-level contents: read permissions to 2 workflows, which matches the raw summary showing changes to ci.yml and pkg-pr-new.yml.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arpitjain099]

Good catch @JounQin, you're right. Dropped the autofix.yml change from the commit (it pushes fixes back to the PR via autofix-ci so needs write scope), kept the change on the other two workflows. Force-pushed with the commit SSH-signed (now Verified). Let me know if there's anything else.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-prettier@790

commit: d51eca3

[arpitjain099]

@JounQin gentle ping - I dropped the autofix.yml change back on 5/18 and rebased; the PR is now scoped to just ci.yml + pkg-pr-new.yml, both of which are read-only. The CHANGES_REQUESTED label is from before that fix. Let me know if you'd like any more changes or want to close.

[coderabbitai]

Actionable comments posted: 0