From 0f775221c4a2e580b54abb1c3bded8dec6030147 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 21 May 2026 10:57:05 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on lint-docs and
 openapi-tests

Both workflows do read-only validation (markdown lint and openapi spec tests). No GitHub API writes from the workflow, so contents: read at the workflow level is the appropriate cap for the default GITHUB_TOKEN.

Same post-CVE-2025-30066 supply-chain hardening pattern (tj-actions/changed-files compromise). Other docs workflows that use cache: pnpm or write paths are intentionally untouched. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/lint-docs.yml     | 3 +++
 .github/workflows/openapi-tests.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/lint-docs.yml b/.github/workflows/lint-docs.yml
index caead940f3e..b5ca72b1924 100644
--- a/.github/workflows/lint-docs.yml
+++ b/.github/workflows/lint-docs.yml
@@ -8,6 +8,9 @@ on:
       - 'content/**/*.md'
       - 'content/**/*.mdx'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/openapi-tests.yml b/.github/workflows/openapi-tests.yml
index 88a43746745..b67504cd4a7 100644
--- a/.github/workflows/openapi-tests.yml
+++ b/.github/workflows/openapi-tests.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - "code-example-tests/openapi/tests/**"
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: ubuntu-latest