From 2484983510160d2967806cdccc83dc0e6c01f6a5 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 06:47:43 +0000
Subject: [PATCH] ci: declare contents: read for the bazel test workflow

The single job in this workflow checks out the repo and runs bazel test with
remote cache via Google service-account credentials (passed as the
GOOGLE_CREDENTIALS secret). It does not write to the repo or call GitHub
APIs for any write, so contents: read is the minimum GITHUB_TOKEN scope it
needs.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/bazel-test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/bazel-test.yaml b/.github/workflows/bazel-test.yaml
index 82326cd5..f31b38d6 100644
--- a/.github/workflows/bazel-test.yaml
+++ b/.github/workflows/bazel-test.yaml
@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}