From d7027182e776f46dbe52a12d08388e8c6ffe35dc Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 15:22:42 +0900
Subject: [PATCH] ci: declare contents:read on CI workflow

The three jobs (commit-lint, code-quality, build-and-test) only run
wagoid/commitlint, biomejs/setup-biome, and a node test matrix. No
GitHub API write, no cache. contents:read covers actions/checkout
and is the actual minimum.

Style matches the workflow-level read-all in scorecard.yml and the
per-job permission blocks in audit.yml (security-events:write +
packages:read + actions:read + contents:read).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eee156691..14c4748b6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,9 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   commit-lint:
     name: Commit Lint