From 51572804a71151b42e2be132e2c1beb1f0e3d7bb Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 15:13:13 +0900
Subject: [PATCH] ci: declare contents:read on CI workflow

The lint job runs npm ci, remark-lint over markdown, and yamllint
after downloading the Node.js project's .yamllint.yaml. None of these
write to the repo or call the GitHub API, so contents:read is the
minimum.

Style matches the workflow-level permissions blocks in closeVote.yml,
initiateNewVote.yml, and watchVote.yml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d61108f1..83c7d7dd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,9 @@ on:
       - .github/workflows/ci.yml
       - .github/workflows/remark-lint-problem-matcher.json
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest