From 95e293d23a51bff3d3cb388c0da608c9d18eef1f Mon Sep 17 00:00:00 2001
From: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com>
Date: Sun, 1 Mar 2026 17:19:19 +0530
Subject: [PATCH] fix(GHA): harden permissions (#66155)

---
 .github/workflows/crowdin-download.client-ui.yml | 3 +++
 .github/workflows/crowdin-upload.client-ui.yml   | 5 +++++
 .github/workflows/crowdin-upload.curriculum.yml  | 5 +++++
 .github/workflows/e2e-playwright.yml             | 8 ++++++++
 .github/workflows/e2e-third-party.yml            | 8 ++++++++
 .github/workflows/node.js-tests.yml              | 5 +++++
 6 files changed, 34 insertions(+)

diff --git a/.github/workflows/crowdin-download.client-ui.yml b/.github/workflows/crowdin-download.client-ui.yml
index c8adb2daf3b..753bd14c546 100644
--- a/.github/workflows/crowdin-download.client-ui.yml
+++ b/.github/workflows/crowdin-download.client-ui.yml
@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_CLIENT }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-download-client-ui-translations:
     name: Client
diff --git a/.github/workflows/crowdin-upload.client-ui.yml b/.github/workflows/crowdin-upload.client-ui.yml
index 299785f17f0..86559596b3a 100644
--- a/.github/workflows/crowdin-upload.client-ui.yml
+++ b/.github/workflows/crowdin-upload.client-ui.yml
@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_ClIENT }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-upload-client-ui-files:
     name: Client
@@ -19,6 +22,8 @@ jobs:
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Generate Crowdin Config
         uses: freecodecamp/crowdin-action@36a78cbf92f5a6c05a3a32dc8bf434a19a7c59e2 # main
diff --git a/.github/workflows/crowdin-upload.curriculum.yml b/.github/workflows/crowdin-upload.curriculum.yml
index 381621c3613..676bbf7c226 100644
--- a/.github/workflows/crowdin-upload.curriculum.yml
+++ b/.github/workflows/crowdin-upload.curriculum.yml
@@ -11,6 +11,9 @@ env:
   CROWDIN_API_URL: 'https://freecodecamp.crowdin.com/api/v2/'
   CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID_CURRICULUM }}
 
+permissions:
+  contents: read
+
 jobs:
   i18n-upload-curriculum-files:
     name: Learn
@@ -19,6 +22,8 @@ jobs:
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Generate Crowdin Config
         uses: freecodecamp/crowdin-action@36a78cbf92f5a6c05a3a32dc8bf434a19a7c59e2 # main
diff --git a/.github/workflows/e2e-playwright.yml b/.github/workflows/e2e-playwright.yml
index 1480592af1c..3c8bc1aa8b2 100644
--- a/.github/workflows/e2e-playwright.yml
+++ b/.github/workflows/e2e-playwright.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main') && !contains(github.ref, 'prod-') }}
 
+permissions:
+  contents: read
+
 jobs:
   build-client:
     name: Build Client
@@ -27,6 +30,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Use Node.js ${{ matrix.node-version }}
@@ -51,6 +55,7 @@ jobs:
         with:
           repository: freeCodeCamp/client-config
           path: client-config
+          persist-credentials: false
 
       - name: Set freeCodeCamp Environment Variables
         run: |
@@ -84,6 +89,7 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Create Image
@@ -119,6 +125,8 @@ jobs:
 
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Download Client Artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
diff --git a/.github/workflows/e2e-third-party.yml b/.github/workflows/e2e-third-party.yml
index 65f15ef5f50..a2864c20b97 100644
--- a/.github/workflows/e2e-third-party.yml
+++ b/.github/workflows/e2e-third-party.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.workflow_run.head_branch || github.ref }}
   cancel-in-progress: ${{ !contains(github.ref, 'main') && !contains(github.ref, 'prod-') }}
 
+permissions:
+  contents: read
+
 jobs:
   build-client:
     name: Build Client
@@ -21,11 +24,13 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Checkout client-config
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           repository: freeCodeCamp/client-config
           path: client-config
 
@@ -68,6 +73,7 @@ jobs:
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          persist-credentials: false
           submodules: 'recursive'
 
       - name: Create Image
@@ -101,6 +107,8 @@ jobs:
 
       - name: Checkout Source Files
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
 
diff --git a/.github/workflows/node.js-tests.yml b/.github/workflows/node.js-tests.yml
index c41b2fced92..b71fbe5e4ed 100644
--- a/.github/workflows/node.js-tests.yml
+++ b/.github/workflows/node.js-tests.yml
@@ -36,6 +36,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Check number of lockfiles
         run: |
@@ -106,6 +107,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -148,6 +150,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -200,6 +203,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
@@ -254,6 +258,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           submodules: 'recursive'
+          persist-credentials: false
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6