From 77f7b53d5ea522292fa587ec16f253e9ea9fcfcf Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 16:10:50 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 7 CI/lint
 workflows

Rebased onto current main to resolve conflicts. Pins GITHUB_TOKEN to contents: read on workflows that don't write to the GitHub API.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml                   | 3 +++
 .github/workflows/coverity.yml             | 3 +++
 .github/workflows/external.yml             | 3 +++
 .github/workflows/redis_docs_sync.yaml     | 3 +++
 .github/workflows/reply-schemas-linter.yml | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 92eb4e296..67583ed9a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   test-ubuntu-latest:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 3f125ae4d..8297e2bd0 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   coverity:
     if: github.repository == 'redis/redis'
diff --git a/.github/workflows/external.yml b/.github/workflows/external.yml
index 75501d248..93ca70566 100644
--- a/.github/workflows/external.yml
+++ b/.github/workflows/external.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test-external-standalone:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/redis_docs_sync.yaml b/.github/workflows/redis_docs_sync.yaml
index 154e69530..b3abbf9b5 100644
--- a/.github/workflows/redis_docs_sync.yaml
+++ b/.github/workflows/redis_docs_sync.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   redis_docs_sync:
     if: github.repository == 'redis/redis'
diff --git a/.github/workflows/reply-schemas-linter.yml b/.github/workflows/reply-schemas-linter.yml
index 9e292927d..44e05383e 100644
--- a/.github/workflows/reply-schemas-linter.yml
+++ b/.github/workflows/reply-schemas-linter.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   reply-schemas-linter:
     runs-on: ubuntu-latest