ci: declare workflow-level contents: read on 1 workflows

[arpitjain099]

Pins the default GITHUB_TOKEN to contents: read on 1 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

Left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Best declared by a maintainer: docs-prs.yml, docs.yml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

Summary by CodeRabbit

• Chores
  • Enhanced security configuration in automated workflows by implementing explicit, restricted permissions for token access.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0a9de6cd-95fb-451c-a536-04032bdd590c

📥 Commits

Reviewing files that changed from the base of the PR and between efec240 and 57abb48.

📒 Files selected for processing (1)

• .github/workflows/pkg.pr.new.yml

---

📝 Walkthrough

Walkthrough

The PR adds an explicit permissions section to the GitHub Actions workflow, restricting the GITHUB_TOKEN to contents: read only. This limits token capabilities to the minimum required for the workflow to function, improving security posture without modifying job logic or steps.

Changes

Token Security Hardening

Layer / File(s)	Summary
Workflow token permissions restriction .github/workflows/pkg.pr.new.yml	The GITHUB_TOKEN is explicitly restricted to contents: read via a new top-level permissions section, reducing the default token's broad access scope.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A tiny lock, three lines deep,
Keeps the token's secrets safe to keep,
contents: read and nothing more—
Security knocks on GitHub's door! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: declaring workflow-level contents: read permissions on GitHub Actions workflows for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}