ci: declare workflow-level contents: read on frontend-lint

[arpitjain099]

Pins the default GITHUB_TOKEN to contents: read on 2 workflows in .github/workflows/ that don't call a GitHub API beyond the initial checkout.

The following files were left implicit because they reference GITHUB_TOKEN / use a write-scope action / trigger on pull_request_target. Those scopes are best declared by maintainers: tinybird-ci.yml.

Why

CVE-2025-30066 (March 2025 tj-actions/changed-files supply-chain compromise) exfiltrated GITHUB_TOKEN from workflow logs. Pinning per workflow caps runtime authority irrespective of the repo or org default, gives drift protection if the default ever widens, and is credited per-file by the OpenSSF Scorecard Token-Permissions check.

YAML validated locally with yaml.safe_load on each touched file.

---

Note

Low Risk
CI-only permission tightening with no application or runtime behavior changes.

Overview
Adds an explicit workflow-level permissions: contents: read block to the Frontend Lint GitHub Actions workflow so the job’s GITHUB_TOKEN is limited to read-only repository content (enough for checkout and lint), instead of inheriting broader default scopes.

This is a supply-chain / least-privilege hardening step aligned with OpenSSF Scorecard Token-Permissions and post–changed-files incident practice; it does not change lint steps or triggers.

^{Reviewed by Cursor Bugbot for commit be67523. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[joanagmaia]

@arpitjain099 can you please sign ALL your commits? You will need both -S -s

[arpitjain099]

Done. I rebased the branch onto current main as a single commit that is both SSH-signed (shows as Verified) and DCO signed-off, which also drops the two earlier unsigned merge commits. All commits on the PR now carry both signatures. Thanks for the review.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 3471d3d. Configure here.}

[arpitjain099]

Good catch by Bugbot, fixed. I dropped the pr-title-lint.yml change: it calls the lfx-ui/_pr-title-lint reusable workflow, which needs pull-requests: read to read PR metadata, so capping the caller to contents: read would have broken it with a 403. The PR now only hardens frontend-lint.yml, which is a plain checkout-and-lint workflow that genuinely needs nothing beyond read.