From 44cdfba049c0c93a15fb041948615e904b34e53b Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Wed, 13 May 2026 10:35:44 +0000 Subject: [PATCH] ci: declare contents: read on python-validation and yaml-validation Both workflows only checkout the repo and run lint/test commands locally, so the default GITHUB_TOKEN's scope can be pinned to read-only. Uses the per-job permissions style already in terraform-validation.yml. Signed-off-by: Arpit Jain --- .github/workflows/python-validation.yml | 2 ++ .github/workflows/yaml-validation.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/python-validation.yml b/.github/workflows/python-validation.yml index 5e103fc3f0..0b7135ee23 100644 --- a/.github/workflows/python-validation.yml +++ b/.github/workflows/python-validation.yml @@ -9,6 +9,8 @@ env: PYTHON_MODULES_DIR: modules/python jobs: python-validation: + permissions: + contents: read runs-on: ubuntu-latest steps: diff --git a/.github/workflows/yaml-validation.yml b/.github/workflows/yaml-validation.yml index aa59abdcb2..6e6c51fce2 100644 --- a/.github/workflows/yaml-validation.yml +++ b/.github/workflows/yaml-validation.yml @@ -5,6 +5,8 @@ on: jobs: yaml-validation: + permissions: + contents: read runs-on: ubuntu-latest steps: