From a72f9dc8c433bd4785bc2c53db192c91d7a6ba92 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 10:42:40 +0900
Subject: [PATCH] ci: declare contents:read on pre-commit workflow

The pre-commit workflow runs pre-commit/action@v3.0.1 against a diff
range. No GitHub API write beyond actions/checkout. contents:read is
the minimum.

Matches the per-job permissions block already used by wheels.yml
(id-token:write for trusted publishing).

ci-test.yml is left out because it uses both setup-python cache and
bazelisk-cache, which interact with the cache-save path and warrant
a separate discussion.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci-lint.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml
index 9e62ef8a4c..02adf1ea5c 100644
--- a/.github/workflows/ci-lint.yml
+++ b/.github/workflows/ci-lint.yml
@@ -5,6 +5,9 @@ on:
   push:
      branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest