From 9a8d7e20f6050e6488d423e4898e2971893d9248 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 10:14:17 +0900
Subject: [PATCH] ci: declare workflow-scope permissions on pr, pr-prod-build,
 add-to-project

Three workflows currently inherit whatever scope the repository
default grants:

- add-to-project.yaml only uses actions/add-to-project with the
  TRAEFIKINFRA_ADD2PROJECT external PAT. The implicit GITHUB_TOKEN
  is unused, so `permissions: {}` pins the workflow to zero scopes.
- pr.yaml runs yarn lint/test/build. No GitHub API write.
- pr-prod-build.yaml runs a production build test. No GitHub API
  write.

Both build workflows use safe-chain (downloaded by hash) and SHA-
pinned third-party actions; pinning the read-only scope narrows the
blast radius of those dependencies. Matches the workflow-level
permissions blocks already used in main.yaml, pr_title.yaml, and
release.yaml.

renovate.yaml left out: it calls dawidd6/action-download-artifact and
upload-artifact across runs, which warrants a more careful look.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/add-to-project.yaml | 2 ++
 .github/workflows/pr-prod-build.yaml  | 3 +++
 .github/workflows/pr.yaml             | 3 +++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/add-to-project.yaml b/.github/workflows/add-to-project.yaml
index 8c81b644..6262610f 100644
--- a/.github/workflows/add-to-project.yaml
+++ b/.github/workflows/add-to-project.yaml
@@ -5,6 +5,8 @@ on:
     types:
       - opened
 
+permissions: {}
+
 jobs:
   add-to-project:
     name: Add PR to Traefik Labs project
diff --git a/.github/workflows/pr-prod-build.yaml b/.github/workflows/pr-prod-build.yaml
index 6fd63598..3be14d47 100644
--- a/.github/workflows/pr-prod-build.yaml
+++ b/.github/workflows/pr-prod-build.yaml
@@ -6,6 +6,9 @@ on:
 env:
   SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 72  # 3 days
 
+permissions:
+  contents: read
+
 jobs:
   faency:
     name: Production build test
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 47e13c22..bbecd8cd 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -6,6 +6,9 @@ on:
 env:
   SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 72  # 3 days
 
+permissions:
+  contents: read
+
 jobs:
   faency:
     name: Test, lint and build