From aa6dadfe6930eb6f37411acf3395a8f87743b9bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Test=C3=A9?= <david.teste@zama.ai>
Date: Mon, 12 May 2025 16:04:11 +0200
Subject: [PATCH] chore(ci): ensure minimal permission for github default token

With recent enforcing of the least permissions for GITHUB_TOKEN, pull-request from external contributors would trigger systematic error (i.e. on repository checkout) in the continuous integration pipeline.
Allowing contents:read fixes this behavior.
---
 .github/workflows/aws_tfhe_backward_compat_tests.yml     | 4 ++--
 .github/workflows/aws_tfhe_fast_tests.yml                | 4 ++--
 .github/workflows/aws_tfhe_integer_tests.yml             | 4 ++--
 .github/workflows/aws_tfhe_signed_integer_tests.yml      | 4 ++--
 .github/workflows/aws_tfhe_tests.yml                     | 4 ++--
 .github/workflows/aws_tfhe_wasm_tests.yml                | 4 ++--
 .github/workflows/benchmark_gpu_4090.yml                 | 4 ++--
 .github/workflows/cargo_build.yml                        | 4 ++--
 .github/workflows/cargo_build_tfhe_fft.yml               | 4 ++--
 .github/workflows/cargo_build_tfhe_ntt.yml               | 4 ++--
 .github/workflows/cargo_test_fft.yml                     | 4 ++--
 .github/workflows/cargo_test_ntt.yml                     | 4 ++--
 .github/workflows/check_commit.yml                       | 5 +++--
 .github/workflows/ci_lint.yml                            | 3 ++-
 .github/workflows/code_coverage.yml                      | 4 ++--
 .github/workflows/csprng_randomness_tests.yml            | 4 ++--
 .github/workflows/gpu_4090_tests.yml                     | 4 ++--
 .github/workflows/gpu_fast_h100_tests.yml                | 4 ++--
 .github/workflows/gpu_fast_tests.yml                     | 4 ++--
 .github/workflows/gpu_full_multi_gpu_tests.yml           | 4 ++--
 .github/workflows/gpu_integer_long_run_tests.yml         | 4 ++--
 .github/workflows/gpu_pcc.yml                            | 4 ++--
 .github/workflows/gpu_signed_integer_classic_tests.yml   | 4 ++--
 .github/workflows/gpu_signed_integer_h100_tests.yml      | 5 ++---
 .github/workflows/gpu_signed_integer_tests.yml           | 4 ++--
 .github/workflows/gpu_unsigned_integer_classic_tests.yml | 5 ++---
 .github/workflows/gpu_unsigned_integer_h100_tests.yml    | 4 ++--
 .github/workflows/gpu_unsigned_integer_tests.yml         | 4 ++--
 .github/workflows/m1_tests.yml                           | 3 ++-
 29 files changed, 59 insertions(+), 58 deletions(-)

diff --git a/.github/workflows/aws_tfhe_backward_compat_tests.yml b/.github/workflows/aws_tfhe_backward_compat_tests.yml
index 3f47f3394..676670a5d 100644
--- a/.github/workflows/aws_tfhe_backward_compat_tests.yml
+++ b/.github/workflows/aws_tfhe_backward_compat_tests.yml
@@ -23,8 +23,8 @@ on:
   workflow_dispatch:
   pull_request:
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/aws_tfhe_fast_tests.yml b/.github/workflows/aws_tfhe_fast_tests.yml
index a57bece2e..4571cd382 100644
--- a/.github/workflows/aws_tfhe_fast_tests.yml
+++ b/.github/workflows/aws_tfhe_fast_tests.yml
@@ -24,8 +24,8 @@ on:
   workflow_dispatch:
   pull_request:
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/aws_tfhe_integer_tests.yml b/.github/workflows/aws_tfhe_integer_tests.yml
index c82d689d5..9abe4efa6 100644
--- a/.github/workflows/aws_tfhe_integer_tests.yml
+++ b/.github/workflows/aws_tfhe_integer_tests.yml
@@ -30,8 +30,8 @@ on:
     branches:
       - main
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/aws_tfhe_signed_integer_tests.yml b/.github/workflows/aws_tfhe_signed_integer_tests.yml
index 39dacdbba..be95073a3 100644
--- a/.github/workflows/aws_tfhe_signed_integer_tests.yml
+++ b/.github/workflows/aws_tfhe_signed_integer_tests.yml
@@ -30,8 +30,8 @@ on:
     branches:
       - main
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/aws_tfhe_tests.yml b/.github/workflows/aws_tfhe_tests.yml
index ce44cc2ae..e3d1dfe61 100644
--- a/.github/workflows/aws_tfhe_tests.yml
+++ b/.github/workflows/aws_tfhe_tests.yml
@@ -27,8 +27,8 @@ on:
     # Nightly tests @ 1AM after each work day
     - cron: "0 1 * * MON-FRI"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/aws_tfhe_wasm_tests.yml b/.github/workflows/aws_tfhe_wasm_tests.yml
index 9084bfdc0..43c389af7 100644
--- a/.github/workflows/aws_tfhe_wasm_tests.yml
+++ b/.github/workflows/aws_tfhe_wasm_tests.yml
@@ -23,8 +23,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/benchmark_gpu_4090.yml b/.github/workflows/benchmark_gpu_4090.yml
index 4c533c283..5319d9044 100644
--- a/.github/workflows/benchmark_gpu_4090.yml
+++ b/.github/workflows/benchmark_gpu_4090.yml
@@ -22,8 +22,8 @@ on:
     # Weekly benchmarks will be triggered each Friday at 9p.m.
     - cron: "0 21 * * 5"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cuda-integer-benchmarks:
diff --git a/.github/workflows/cargo_build.yml b/.github/workflows/cargo_build.yml
index 76413547c..32edfe80b 100644
--- a/.github/workflows/cargo_build.yml
+++ b/.github/workflows/cargo_build.yml
@@ -14,8 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cargo-builds:
diff --git a/.github/workflows/cargo_build_tfhe_fft.yml b/.github/workflows/cargo_build_tfhe_fft.yml
index ccbd8bfb2..76d26c553 100644
--- a/.github/workflows/cargo_build_tfhe_fft.yml
+++ b/.github/workflows/cargo_build_tfhe_fft.yml
@@ -12,8 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cargo-builds-fft:
diff --git a/.github/workflows/cargo_build_tfhe_ntt.yml b/.github/workflows/cargo_build_tfhe_ntt.yml
index b28c2b832..d1494ca0f 100644
--- a/.github/workflows/cargo_build_tfhe_ntt.yml
+++ b/.github/workflows/cargo_build_tfhe_ntt.yml
@@ -12,8 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cargo-builds-ntt:
diff --git a/.github/workflows/cargo_test_fft.yml b/.github/workflows/cargo_test_fft.yml
index 0eb965ad0..8c25092dc 100644
--- a/.github/workflows/cargo_test_fft.yml
+++ b/.github/workflows/cargo_test_fft.yml
@@ -16,8 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/cargo_test_ntt.yml b/.github/workflows/cargo_test_ntt.yml
index 9f657df01..f21f35f26 100644
--- a/.github/workflows/cargo_test_ntt.yml
+++ b/.github/workflows/cargo_test_ntt.yml
@@ -16,8 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
   cancel-in-progress: true
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/check_commit.yml b/.github/workflows/check_commit.yml
index 51e78f7d7..fe37f82a5 100644
--- a/.github/workflows/check_commit.yml
+++ b/.github/workflows/check_commit.yml
@@ -3,8 +3,9 @@ name: Check commit and PR compliance
 on:
   pull_request:
 
-
-permissions: {}
+permissions:
+  contents: read
+  pull-requests: read # Permission needed to scan commits in a pull-request
 
 jobs:
   check-commit-pr:
diff --git a/.github/workflows/ci_lint.yml b/.github/workflows/ci_lint.yml
index 3b22e1036..817305b1a 100644
--- a/.github/workflows/ci_lint.yml
+++ b/.github/workflows/ci_lint.yml
@@ -9,7 +9,8 @@ env:
   ACTIONLINT_CHECKSUM: "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757"
   CHECKOUT_TOKEN: ${{ secrets.REPO_CHECKOUT_TOKEN || secrets.GITHUB_TOKEN }}
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   lint-check:
diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
index fec789ec0..0c6cebd1c 100644
--- a/.github/workflows/code_coverage.yml
+++ b/.github/workflows/code_coverage.yml
@@ -17,8 +17,8 @@ on:
   workflow_dispatch:
   # Code coverage workflow is only run via workflow_dispatch event since execution duration is not stabilized yet.
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/csprng_randomness_tests.yml b/.github/workflows/csprng_randomness_tests.yml
index 1b50140b9..78ccfc08b 100644
--- a/.github/workflows/csprng_randomness_tests.yml
+++ b/.github/workflows/csprng_randomness_tests.yml
@@ -21,8 +21,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/gpu_4090_tests.yml b/.github/workflows/gpu_4090_tests.yml
index 9dc4052bf..61c1e986c 100644
--- a/.github/workflows/gpu_4090_tests.yml
+++ b/.github/workflows/gpu_4090_tests.yml
@@ -22,8 +22,8 @@ on:
     # Nightly tests @ 1AM after each work day
     - cron: "0 1 * * MON-FRI"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cuda-tests-linux:
diff --git a/.github/workflows/gpu_fast_h100_tests.yml b/.github/workflows/gpu_fast_h100_tests.yml
index e5f5f08ec..72671036f 100644
--- a/.github/workflows/gpu_fast_h100_tests.yml
+++ b/.github/workflows/gpu_fast_h100_tests.yml
@@ -25,8 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_fast_tests.yml b/.github/workflows/gpu_fast_tests.yml
index f225da5c3..85a0c3f23 100644
--- a/.github/workflows/gpu_fast_tests.yml
+++ b/.github/workflows/gpu_fast_tests.yml
@@ -24,8 +24,8 @@ on:
   workflow_dispatch:
   pull_request:
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_full_multi_gpu_tests.yml b/.github/workflows/gpu_full_multi_gpu_tests.yml
index 6cbd22dcc..3d0ed0e34 100644
--- a/.github/workflows/gpu_full_multi_gpu_tests.yml
+++ b/.github/workflows/gpu_full_multi_gpu_tests.yml
@@ -25,8 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_integer_long_run_tests.yml b/.github/workflows/gpu_integer_long_run_tests.yml
index 36818a322..83a423fda 100644
--- a/.github/workflows/gpu_integer_long_run_tests.yml
+++ b/.github/workflows/gpu_integer_long_run_tests.yml
@@ -19,8 +19,8 @@ on:
     # Nightly tests will be triggered each evening 8p.m.
     - cron: "0 20 * * *"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/gpu_pcc.yml b/.github/workflows/gpu_pcc.yml
index 95baf76ae..5f14d73c5 100644
--- a/.github/workflows/gpu_pcc.yml
+++ b/.github/workflows/gpu_pcc.yml
@@ -23,8 +23,8 @@ env:
 on:
   pull_request:
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   setup-instance:
diff --git a/.github/workflows/gpu_signed_integer_classic_tests.yml b/.github/workflows/gpu_signed_integer_classic_tests.yml
index 66d2ffcf0..409b85b5f 100644
--- a/.github/workflows/gpu_signed_integer_classic_tests.yml
+++ b/.github/workflows/gpu_signed_integer_classic_tests.yml
@@ -25,8 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_signed_integer_h100_tests.yml b/.github/workflows/gpu_signed_integer_h100_tests.yml
index c027f2976..396d9214d 100644
--- a/.github/workflows/gpu_signed_integer_h100_tests.yml
+++ b/.github/workflows/gpu_signed_integer_h100_tests.yml
@@ -25,9 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_signed_integer_tests.yml b/.github/workflows/gpu_signed_integer_tests.yml
index ae2362610..b9e8b2055 100644
--- a/.github/workflows/gpu_signed_integer_tests.yml
+++ b/.github/workflows/gpu_signed_integer_tests.yml
@@ -29,8 +29,8 @@ on:
     # Nightly tests @ 1AM after each work day
     - cron: "0 1 * * MON-FRI"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_unsigned_integer_classic_tests.yml b/.github/workflows/gpu_unsigned_integer_classic_tests.yml
index ade9b01b0..d1fa709e9 100644
--- a/.github/workflows/gpu_unsigned_integer_classic_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_classic_tests.yml
@@ -25,9 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_unsigned_integer_h100_tests.yml b/.github/workflows/gpu_unsigned_integer_h100_tests.yml
index f1587e387..7b378e796 100644
--- a/.github/workflows/gpu_unsigned_integer_h100_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_h100_tests.yml
@@ -25,8 +25,8 @@ on:
   pull_request:
     types: [ labeled ]
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/gpu_unsigned_integer_tests.yml b/.github/workflows/gpu_unsigned_integer_tests.yml
index 89f1bfcd0..9fba08339 100644
--- a/.github/workflows/gpu_unsigned_integer_tests.yml
+++ b/.github/workflows/gpu_unsigned_integer_tests.yml
@@ -29,8 +29,8 @@ on:
     # Nightly tests @ 1AM after each work day
     - cron: "0 1 * * MON-FRI"
 
-
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   should-run:
diff --git a/.github/workflows/m1_tests.yml b/.github/workflows/m1_tests.yml
index 5c04d5bb2..3a6fa541a 100644
--- a/.github/workflows/m1_tests.yml
+++ b/.github/workflows/m1_tests.yml
@@ -27,7 +27,8 @@ concurrency:
   group: ${{ github.workflow_ref }}
   cancel-in-progress: true
 
-permissions: {}
+permissions:
+  contents: read
 
 jobs:
   cargo-builds-m1: