From a53bb7f28d4e035dc77c565b7faf2d575ed4677f Mon Sep 17 00:00:00 2001
From: Cameron G <cambamwham2@gmail.com>
Date: Mon, 22 Jun 2026 17:39:50 +0000
Subject: [PATCH] ci(security): add explicit top-level permissions to
 docs-broken-links and pr-size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two workflows are missing a top-level 'permissions' block:
  - .github/workflows/docs-broken-links.yml
  - .github/workflows/pr-size.yml

Without an explicit top-level block, GITHUB_TOKEN falls back to the
repository default — which for repos created or migrated before the
restricted default was rolled out can still be a permissive 'contents:
write' across all unsetscoped jobs.

Setting the top-level scope to read-only and letting individual jobs
opt up (as pr-size already does with 'pull-requests: write' at job
scope) follows the OpenSSF Scorecard 'Token-Permissions' recommendation
and trims the blast radius if a third-party action gets compromised.

Other workflows in this repo already follow this pattern (tests.yml,
linter.yml, etc.) — this just aligns the two outliers.
---
 .github/workflows/docs-broken-links.yml | 3 +++
 .github/workflows/pr-size.yml           | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/docs-broken-links.yml b/.github/workflows/docs-broken-links.yml
index 38ca499a4b..e1b9aeb0e6 100644
--- a/.github/workflows/docs-broken-links.yml
+++ b/.github/workflows/docs-broken-links.yml
@@ -13,6 +13,9 @@ on:
       - "docs.json"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-links:
     name: Check broken links
diff --git a/.github/workflows/pr-size.yml b/.github/workflows/pr-size.yml
index 85ef9b003b..b26b51ba08 100644
--- a/.github/workflows/pr-size.yml
+++ b/.github/workflows/pr-size.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   pr-size:
     runs-on: ubuntu-latest