From 86efa5b6d9fe15be1d7d869b0552dab990cfcbb1 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 19 May 2026 07:35:43 +0900
Subject: [PATCH] ci(test): scope GITHUB_TOKEN to contents: read

Tests workflow only checks out + installs deps + runs pnpm test. No API interaction beyond checkout, so contents: read covers it.

Recent context: CVE-2025-30066 (tj-actions/changed-files) leaked any unspoken GITHUB_TOKEN scope from caller workflow logs. Per-workflow caps make the blast radius predictable. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 87d0857..d2f1c14 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest