ci: declare contents:read on license + yarn-audit workflows

[arpitjain099]

Pins three workflows to contents: read at workflow scope. license-header-check.yml runs ./check-headers.sh against the cla-backend, cla-backend-legacy, cla-backend-go and cla-frontend trees. The two yarn-scan workflows run yarn install + yarn audit on cla-backend-go and cla-backend respectively. None of them write to the repo or post comments.

Defense-in-depth motivation is the CVE-2025-30066 tj-actions/changed-files precedent: a compromised third-party action runs inside the existing job context and exfiltrates the workflow GITHUB_TOKEN via build logs. The blast radius equals the token's issued scope; the explicit cap bounds it.

Style matches the per-job blocks already in build-pr.yml, go-audit.yml, license-compliance-go.yml, security-scan-go.yml, and the rest of the hardened set. YAML validated locally with yaml.safe_load.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 827f7e2b-9a8a-48a4-b680-8a0c912a779c

📥 Commits

Reviewing files that changed from the base of the PR and between 355223d and a6a55a9.

📒 Files selected for processing (3)

• .github/workflows/license-header-check.yml
• .github/workflows/yarn-scan-backend-go-pr.yml
• .github/workflows/yarn-scan-backend-pr.yml

---

Walkthrough

Three GitHub Actions workflows now declare explicit permissions restricting GitHub token access to contents: read. The License Header Check, Yarn Golang Backend Dependency Audit, and Yarn Python Backend Dependency Audit workflows each add a top-level permissions block, limiting the scope of the default GITHUB_TOKEN.

Changes

Workflow Permissions Hardening

Layer / File(s)	Summary
Restrict permissions across workflows .github/workflows/license-header-check.yml, .github/workflows/yarn-scan-backend-go-pr.yml, .github/workflows/yarn-scan-backend-pr.yml	License Header Check, Yarn Golang Backend Dependency Audit, and Yarn Python Backend Dependency Audit workflows each add a top-level permissions block setting contents: read, limiting default token scope.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding contents:read permissions to three specific GitHub Actions workflows (license-header-check and yarn-audit workflows).
Description check	✅ Passed	The description is directly related to the changeset, explaining which workflows were modified, what permissions were added, the security motivation (CVE-2025-30066), and validation approach.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}