From 8c6f1fba5ce71c6eb97f1fdbc0a0f2e8bd838a59 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 15:04:39 +0900
Subject: [PATCH] ci: declare read-all permissions on build-test workflow

The build-test workflow has two jobs:

  gen-matrix    -- actions/checkout + tj-actions/changed-files +
                   actions/github-script to compute the matrix from the
                   PR diff. No GitHub API write.
  build         -- actions/checkout + docker/build-push-action with
                   `push: false, load: true`, then docker run/test.
                   No GitHub API write, no registry push.

`permissions: read-all` at workflow scope matches the shorthand
scorecard.yml already uses, and brings build-test in line with the
per-job blocks declared by official-pr.yml, missing-checksum.yml,
shfmt.yml, doctoc.yml, eclint.yml, automatic-updates.yml, and
markdown-link-check.yml.

Note: this workflow uses tj-actions/changed-files, the action behind
CVE-2025-30066 (the March-2025 supply-chain attack). The compromised
release exfiltrated the runner's GITHUB_TOKEN through workflow logs;
the downstream blast radius scaled with whatever scope the token had
been issued at. Pinning the workflow to read-only bounds that radius.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/build-test.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index bc0e9cfd5..c5764b64f 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -15,6 +15,8 @@ on:
       - genMatrix.js
       - ".github/workflows/build-test.yml"
 
+permissions: read-all
+
 jobs:
   gen-matrix:
     name: generate-matrix