From 1e0a7f7c8807a1e3066c642512c9fb7f1cfc6c51 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 10:24:32 +0900
Subject: [PATCH] ci: declare contents:read on Lint workflow

The Lint workflow runs cpplint and pylint against the checked-out
tree. No cache, no GitHub API write. `permissions: contents: read`
captures that and matches the per-job permissions blocks already
used in deploy_nightly_docs.yml (pages:write + id-token:write) and
upload-ci-logs.yml (statuses:write).

build.yml is left out because it pulls mozilla-actions/sccache-action
(which writes to the Actions cache) and easimon/maximize-build-space.
A drive-by permissions block there would need actions:write for the
sccache save path, which deserves a separate look.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/lint.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 1d2fb272f8..016d2079d2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -11,6 +11,8 @@ concurrency:
   # Group by workflow name + PR number (for PRs) or ref (for branch/tag pushes)
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
+permissions:
+  contents: read
 jobs:
   pytorch_cpplint:
     name: 'PyTorch C++'