ci: declare contents:read on Lint workflow

[arpitjain099]

The Lint workflow currently doesn't declare a permissions: block, so its GITHUB_TOKEN inherits the repository default. Both jobs (pytorch_cpplint, pytorch_pylint) only check out the repo and run shell scripts that invoke cpplint and pylint locally. No cache, no GitHub API call, no comment-on-PR step.

This patch sets permissions: contents: read at workflow scope, matching the per-job permissions blocks already declared by deploy_nightly_docs.yml (pages: write, id-token: write) and upload-ci-logs.yml (statuses: write).

Out of scope for this PR (left for a separate change):

• build.yml uses mozilla-actions/sccache-action, which writes to the GitHub Actions cache. Declaring explicit permissions there has to account for the actions: write need on the cache save path; that's a more involved discussion than a drive-by warrants.
• attach-wheels-to-release.yml, blossom-ci.yml, trigger-ci.yml -- each is a multi-stage workflow (release publishing, hybrid-CI authorization). Their per-job permission story deserves a careful review on its own.
• license.yml is small enough (~20 lines) that the noise/value ratio isn't worth a separate PR.

No behavioural change to the Lint workflow.

[greptile-apps]

Greptile Summary

Adds a workflow-level permissions: contents: read block to lint.yml, following the principle of least privilege so the GITHUB_TOKEN can no longer use its default repository-wide write grants.

• All four jobs (pytorch_cpplint, pytorch_pylint, jax_cpplint, jax_pylint) only checkout the repository and run local lint scripts — contents: read is the exact permission actions/checkout requires and nothing more is needed.
• No behavioural change; the fix mirrors the explicit permissions blocks already present in deploy_nightly_docs.yml and upload-ci-logs.yml.

Confidence Score: 5/5

Safe to merge — the change only restricts the GITHUB_TOKEN scope and has no effect on workflow behaviour.

The change is two lines of YAML that add permissions: contents: read at the workflow scope. Every job in the workflow only checks out the repository and runs lint tools locally, so contents: read is precisely what is needed. There is no risk of breaking the workflow and no other permissions are required.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/lint.yml	Adds workflow-level permissions: contents: read to restrict GITHUB_TOKEN; all four jobs only checkout the repo and run local lint scripts, so this is exactly the right scope.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Token as GITHUB_TOKEN
    participant Checkout as actions/checkout
    participant Lint as Lint Script (local)

    GH->>Token: "Issue token with permissions: contents=read"
    GH->>Checkout: Run checkout step
    Checkout->>Token: Request repo contents (read)
    Token-->>Checkout: Granted (contents: read ✓)
    Checkout-->>GH: Repo cloned
    GH->>Lint: Run cpplint / pylint locally
    Lint-->>GH: Lint results (no GitHub API calls)

Loading

_{Reviews (1): Last reviewed commit: "ci: declare contents:read on Lint workfl..." | Re-trigger Greptile}