From e2e02229cecce32a85eb43053e44d76b57a49c39 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 21 May 2026 10:48:36 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on backend-test and
 regression

Both workflows only run tests via checkout + Python/dataset operations; neither calls the GitHub API beyond fetching the repo. Workflow-level contents: read is the right ceiling for the default GITHUB_TOKEN.

verify.yml is intentionally left out (uses cache: pnpm, would need actions: write for cache save).

Same post-CVE-2025-30066 hardening shape (tj-actions/changed-files compromise). yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/backend-test.yml | 3 +++
 .github/workflows/regression.yml   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/backend-test.yml b/.github/workflows/backend-test.yml
index 317d89f13..4ee888c7e 100644
--- a/.github/workflows/backend-test.yml
+++ b/.github/workflows/backend-test.yml
@@ -12,6 +12,9 @@ on:
     paths:
       - backend/**
 
+permissions:
+  contents: read
+
 jobs:
   backend-test:
     name: Backend Test
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
index 2e97b85aa..a8e9a374a 100644
--- a/.github/workflows/regression.yml
+++ b/.github/workflows/regression.yml
@@ -19,6 +19,9 @@ on:
           - openai
           - gemini
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build