ci(mixin): cap GITHUB_TOKEN to contents: read

[arpitjain099]

The mixin workflow only validates the alertmanager mixin (jsonnet). No GitHub API writes, so workflow-level contents: read is the right cap for the default GITHUB_TOKEN.

Post-CVE-2025-30066 (tj-actions/changed-files) hardening pattern. YAML validated locally.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow security configuration.

---

Note: This release contains only internal infrastructure updates with no changes visible to end-users.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3c132511-52ea-437d-a81f-8aeecdf410b6

📥 Commits

Reviewing files that changed from the base of the PR and between 36afed4 and 76f1163.

📒 Files selected for processing (1)

• .github/workflows/mixin.yml

---

📝 Walkthrough

Walkthrough

The PR adds an explicit top-level permissions block to the mixin workflow, granting read-only access to repository contents. This applies the principle of least privilege to restrict GitHub Actions token scope.

Changes

GitHub Actions Permissions Hardening

Layer / File(s)	Summary
Workflow read-only permissions .github/workflows/mixin.yml	Top-level permissions configuration grants contents: read, restricting token access to the minimum required scope.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the rationale for the change and references security context, but does not follow the repository's PR template structure with checklist items.	Include the PR checklist from the template and mark applicable boxes; specify issue number if applicable or mark as N/A.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: restricting the GITHUB_TOKEN to contents:read in the mixin workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[arpitjain099]

Closing as duplicate of #5237 (earlier PR with overlapping scope), apologies for the noise.