From e962b178b5c73d1af155332312b5520e67946e33 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Sun, 31 May 2026 10:20:09 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on 1 workflow

Declares an explicit workflow-level permissions: contents: read on 1 workflow that currently inherit the default broad read-write GITHUB_TOKEN. Each file was inspected and only reads the checkout; none publish, push, or write via the GitHub API. Post-CVE-2025-30066 hardening default.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/social-rfc-update.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/social-rfc-update.yml b/.github/workflows/social-rfc-update.yml
index f36982c5..0496dcfa 100644
--- a/.github/workflows/social-rfc-update.yml
+++ b/.github/workflows/social-rfc-update.yml
@@ -3,6 +3,10 @@ on:
   # Can't use pull_request because it won't have access to secrets
   pull_request_target:
     types: [labeled, closed]
+
+permissions:
+  contents: read
+
 jobs:
   tweetStateChange:
     runs-on: ubuntu-latest