From ab8c5ccf9f9ed02d0358ddeae8d5c6075dc6dda7 Mon Sep 17 00:00:00 2001
From: sudoforge <no-reply@sudoforge.com>
Date: Sat, 17 May 2025 21:36:03 -0700
Subject: [PATCH] ci: limit default permissions to contents.read (#1447)

This change refactors all root pipelines (`trunk` and `presubmit`) to
limit the contents permission to read. By default, GitHub has taken the
overly-permissive approach of granting all permissions if the
`permissions` map is not explicitly defined. Usability wins out over
security, again.

Change-Id: Idaca851385fb82eefd6c7c9b8ee46b85a3f4901c
---
 .github/workflows/presubmit.yml | 3 +++
 .github/workflows/trunk.yml     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml
index b6e2aa77..a6a17fa8 100644
--- a/.github/workflows/presubmit.yml
+++ b/.github/workflows/presubmit.yml
@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml
diff --git a/.github/workflows/trunk.yml b/.github/workflows/trunk.yml
index 7e5243ac..714e94c7 100644
--- a/.github/workflows/trunk.yml
+++ b/.github/workflows/trunk.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml
-- 
GitLab