From 1b90fb7fa012f488c75a1d6c0b09af6add704905 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 16:06:38 +0900
Subject: [PATCH] ci: explicitly grant contents: read in presubmit and deploy
 callers

The two deploy callers (postsubmit, unstable-channel) only pass secrets
through to the reusable deployment.yaml. The reusable already declares
contents: read at its workflow level, so the callers' explicit contents: read
intersects to the same scope - no scope regression.

presubmit.yaml builds Go, runs tests + lint, builds Debian and Docker
artifacts, and runs E2E tests. All read-side from a GITHUB_TOKEN
perspective.
---
 .github/workflows/postsubmit.yaml       | 3 +++
 .github/workflows/presubmit.yaml        | 3 +++
 .github/workflows/unstable-channel.yaml | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/postsubmit.yaml b/.github/workflows/postsubmit.yaml
index 9b3db3f5..a7a965b3 100644
--- a/.github/workflows/postsubmit.yaml
+++ b/.github/workflows/postsubmit.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     if: github.repository_owner == 'google'
diff --git a/.github/workflows/presubmit.yaml b/.github/workflows/presubmit.yaml
index 34fed9e5..f377967f 100644
--- a/.github/workflows/presubmit.yaml
+++ b/.github/workflows/presubmit.yaml
@@ -6,6 +6,9 @@ on:
     branches-ignore:
       - main  # push events to main branch occur after PRs are merged, when the same checks were run
 
+permissions:
+  contents: read
+
 jobs:
   build-test:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/unstable-channel.yaml b/.github/workflows/unstable-channel.yaml
index d30f9c91..4ba4abe3 100644
--- a/.github/workflows/unstable-channel.yaml
+++ b/.github/workflows/unstable-channel.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - 'version-[0-9]+.[0-9]+-dev'
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     if: github.repository_owner == 'google'