Add contents:read to zizmor job permissions

bschwedler · bschwedler · commit c13aba508612 · 2026-04-10T12:16:02.000-05:00
The job declares security-events:write for SARIF upload,
but this drops the implicit contents:read needed by
actions/checkout.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -132,6 +132,7 @@ jobs:
     name: Zizmor
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
