From 4ad78b8b06f674372248e26af777a965b701cfae Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 15 May 2026 07:32:12 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on the 9
 python-N.yml build workflows

Pins the default GITHUB_TOKEN to contents: read on the per-Python-
version build workflows. Each one runs sphinx-build / msgfmt against
the translated rst files and uploads the rendered HTML as a workflow
artifact - no GitHub API mutation.

- python-37.yml, python-38.yml, python-39.yml, python-310.yml,
  python-311.yml, python-312.yml, python-313.yml, python-314.yml,
  python-315.yml

update-tx-config.yml is intentionally left implicit; it commits and
pushes via GITHUB_TOKEN, so the scope is best declared by the
maintainer who owns the translation-sync flow.

Motivation: CVE-2025-30066 (March 2025 tj-actions/changed-files
compromise) exfiltrated GITHUB_TOKEN from workflow logs. Per-workflow
caps bound runtime authority irrespective of repo or org default,
give drift protection if the default ever widens, and are credited
per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/python-310.yml | 3 +++
 .github/workflows/python-311.yml | 3 +++
 .github/workflows/python-312.yml | 3 +++
 .github/workflows/python-313.yml | 3 +++
 .github/workflows/python-314.yml | 3 +++
 .github/workflows/python-315.yml | 3 +++
 .github/workflows/python-37.yml  | 3 +++
 .github/workflows/python-38.yml  | 3 +++
 .github/workflows/python-39.yml  | 3 +++
 9 files changed, 27 insertions(+)

diff --git a/.github/workflows/python-310.yml b/.github/workflows/python-310.yml
index 35a148f472..ffeb1834a5 100644
--- a/.github/workflows/python-310.yml
+++ b/.github/workflows/python-310.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "22 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-311.yml b/.github/workflows/python-311.yml
index 4fa85bb77f..cea293e278 100644
--- a/.github/workflows/python-311.yml
+++ b/.github/workflows/python-311.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "32 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-312.yml b/.github/workflows/python-312.yml
index 75cc1d35e5..2484ff79e1 100644
--- a/.github/workflows/python-312.yml
+++ b/.github/workflows/python-312.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "42 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-313.yml b/.github/workflows/python-313.yml
index 5cf9c8340e..62839a9f2d 100644
--- a/.github/workflows/python-313.yml
+++ b/.github/workflows/python-313.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "52 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-314.yml b/.github/workflows/python-314.yml
index 7f4d564260..0ec3e8a7fc 100644
--- a/.github/workflows/python-314.yml
+++ b/.github/workflows/python-314.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "2 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-315.yml b/.github/workflows/python-315.yml
index 6618f4c556..a625f3443c 100644
--- a/.github/workflows/python-315.yml
+++ b/.github/workflows/python-315.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: "12 * * * *"
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-37.yml b/.github/workflows/python-37.yml
index 47c224c3b5..5598a26705 100644
--- a/.github/workflows/python-37.yml
+++ b/.github/workflows/python-37.yml
@@ -2,6 +2,9 @@ name: python-37
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-38.yml b/.github/workflows/python-38.yml
index 9d0bc6daf1..cc7c5178ea 100644
--- a/.github/workflows/python-38.yml
+++ b/.github/workflows/python-38.yml
@@ -2,6 +2,9 @@ name: python-38
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml
diff --git a/.github/workflows/python-39.yml b/.github/workflows/python-39.yml
index 9a6868d926..665481529c 100644
--- a/.github/workflows/python-39.yml
+++ b/.github/workflows/python-39.yml
@@ -3,6 +3,9 @@ name: python-39
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     uses: ./.github/workflows/sync.yml