From 7125f817bacc8e28b011f527057db08385a6f007 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 06:49:34 +0000
Subject: [PATCH] ci: declare empty permissions for do-not-merge label check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This workflow only checks the PR's labels and exits 1 if 'do not merge' is
present. It does not check out the repo, install anything, or call any
GitHub API — permissions: {} (no scopes at all) is correct here.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/do-not-merge.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/do-not-merge.yml b/.github/workflows/do-not-merge.yml
index b5d109b57f0..29f4eb4a86b 100644
--- a/.github/workflows/do-not-merge.yml
+++ b/.github/workflows/do-not-merge.yml
@@ -12,6 +12,8 @@ on:
     branches: ["master"]
     types: [checks_requested]
 
+permissions: {}
+
 jobs:
   fail-by-label:
     runs-on: ubuntu-latest