From ebdf729d8138bff108a696caf4bb77db4e6cef2d Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 15:31:42 +0900
Subject: [PATCH 1/2] ci: declare workflow-level contents: read on 6 CI
 workflows

Adds workflow-level contents: read to six CI workflows that run pure checks (checkDependencies, ci, doCleanCode, pr-checks, unit-tests, version-increments). No GitHub API writes from the workflows.

Same post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/checkDependencies.yml  | 3 +++
 .github/workflows/ci.yml                 | 3 +++
 .github/workflows/doCleanCode.yml        | 3 +++
 .github/workflows/pr-checks.yml          | 3 +++
 .github/workflows/unit-tests.yml         | 3 +++
 .github/workflows/version-increments.yml | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/checkDependencies.yml b/.github/workflows/checkDependencies.yml
index ccc47fef2a3..5a99ba62d75 100644
--- a/.github/workflows/checkDependencies.yml
+++ b/.github/workflows/checkDependencies.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   check-dependencies:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/checkDependencies.yml@master
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fde222c38eb..884cbf53ea5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ on:
       - 'docs/**'
       - '*.md'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/mavenBuild.yml@master
diff --git a/.github/workflows/doCleanCode.yml b/.github/workflows/doCleanCode.yml
index 3a0d9ea0d92..11c682bc2a5 100644
--- a/.github/workflows/doCleanCode.yml
+++ b/.github/workflows/doCleanCode.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron:  '0 2 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   clean-code:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/cleanCode.yml@master
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index d8dfc50969a..61e4a4b4792 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   check-freeze-period:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index 32759a5869b..f5650319d91 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
     check:
        uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishTestResults.yml@master
diff --git a/.github/workflows/version-increments.yml b/.github/workflows/version-increments.yml
index 7f0450b41ac..c4d9915aefb 100644
--- a/.github/workflows/version-increments.yml
+++ b/.github/workflows/version-increments.yml
@@ -5,6 +5,9 @@ on:
     workflows: [ 'Pull-Request Checks' ]
     types: [ completed ]
 
+permissions:
+  contents: read
+
 jobs:
   publish-version-check-results:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishVersionCheckResults.yml@master

From a5fb91cc2fade66e2f69be26e303104275b4f9c2 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Fri, 5 Jun 2026 21:08:34 +0900
Subject: [PATCH 2/2] ci: drop workflow-perms cap on reusable-workflow callers

pr-checks.yml and unit-tests.yml only call reusable workflows. A caller's
workflow-level permissions cap the GITHUB_TOKEN for the called workflow, which
cannot request more than the caller grants. The contents: read block here was
stripping scopes the callees need:

- verifyFreezePeriod.yml needs issues: read (milestone lookup)
- checkMergeCommits.yml needs pull-requests: read
- publishTestResults.yml needs checks: write, pull-requests: write,
  issues: read and actions: read

This is what broke validation (pr-checks.yml line 16, reported by @akurtakov).
Revert the permissions block on these two reusable-only callers; each reusable
workflow already declares its own least-privilege permissions. The contents:
read additions on the non-affected workflows in this PR are kept.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/pr-checks.yml  | 3 ---
 .github/workflows/unit-tests.yml | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 61e4a4b4792..d8dfc50969a 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -9,9 +9,6 @@ on:
   pull_request:
     branches: [ master ]
 
-permissions:
-  contents: read
-
 jobs:
   check-freeze-period:
     uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/verifyFreezePeriod.yml@master
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index f5650319d91..32759a5869b 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -6,9 +6,6 @@ on:
     types:
       - completed
 
-permissions:
-  contents: read
-
 jobs:
     check:
        uses: eclipse-platform/eclipse.platform.releng.aggregator/.github/workflows/publishTestResults.yml@master