ci(security): add explicit top-level permissions to two workflows

[camgrimsec]

Two workflows are missing a top-level 'permissions' block:

• .github/workflows/docs-broken-links.yml
• .github/workflows/pr-size.yml

Without an explicit top-level block, GITHUB_TOKEN falls back to the repository default.

Which for repos created or migrated before the restricted default was rolled out can still be a permissive 'contents: write' across all unsetscoped jobs.

Setting the top-level scope to read-only and letting individual jobs opt up (as pr-size already does with 'pull-requests: write' at job scope) follows the OpenSSF Scorecard 'Token-Permissions' recommendation and trims the blast radius if a third-party action gets compromised.

Other workflows in this repo already follow this pattern (tests.yml, linter.yml, etc.)

This just aligns the two outliers.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations with explicit permission settings.

Note: These are internal infrastructure changes with no impact to end-user functionality.

[corridor-security]

Summary: This PR adds explicit read-only top-level GitHub Actions permissions to two workflows, reducing the default GITHUB_TOKEN scope. No exploitable security vulnerabilities were identified.

Risk: Low risk. The changes are CI permission hardening only and do not introduce new authentication, authorization, data handling, or runtime attack surfaces.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 0fa7cb7d-ac86-4447-891a-2ee938ed2d51

📥 Commits

Reviewing files that changed from the base of the PR and between 4cbfbdb and a53bb7f.

📒 Files selected for processing (2)

• .github/workflows/docs-broken-links.yml
• .github/workflows/pr-size.yml

---

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows (.github/workflows/docs-broken-links.yml and .github/workflows/pr-size.yml) each receive a new top-level permissions block that sets contents: read. No job steps, triggers, or other workflow logic are changed.

Changes

Workflow Permissions Hardening

Layer / File(s)	Summary
Add read-only permissions to CI workflows .github/workflows/docs-broken-links.yml, .github/workflows/pr-size.yml	Both workflows add a top-level permissions: contents: read block, restricting the default GitHub token scope to read-only access for repository contents.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding explicit top-level permissions to two workflows for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}