From 748684dd9c0460b32030e6067fcb6c36b7370118 Mon Sep 17 00:00:00 2001
From: Arpit Jain <3242828+arpitjain099@users.noreply.github.com>
Date: Thu, 14 May 2026 15:12:55 +0900
Subject: [PATCH] ci: declare contents: read on linting and tests workflows
 (#3960)

linting runs prettier / yamllint / boilerplate checks.
tests runs terraform/tofu plan + unit tests with matrix providers.
Both are pure read - no commits, releases, or comments.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/linting.yml | 4 ++++
 .github/workflows/tests.yml   | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
index 7e0ffff73..7a6a9d639 100644
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@@ -23,6 +23,10 @@ on:
     branches:
       - master
       - fast-dev
+
+permissions:
+  contents: read
+
 jobs:
   linting:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index c3245dcc0..e280ddc84 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -41,6 +41,9 @@ env:
   DEFAULT_TERRAFORM_VERSION: ${{ inputs.terraform_version || '1.12.2' }}
   DEFAULT_TOFU_VERSION: "1.11.0"
 
+permissions:
+  contents: read
+
 jobs:
   setup-tf-providers:
     runs-on: ubuntu-latest