From 464e97d5b3dfc184d69e71ad8fe84fd6e38ec7c3 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 09:54:50 +0900
Subject: [PATCH] ci: declare contents:read on Build and Test workflow

The lint/build/unit_tests/integration_tests jobs only checkout sources
and run Go and Make targets. None of them call the GitHub API beyond
the implicit checkout read. Declaring `permissions: contents: read` at
workflow scope makes that explicit and matches the per-job style used
by labeler.yml and vulnerability-check.yaml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/build-and-test.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
index 1392bece4..8d54fc9dd 100644
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -10,6 +10,9 @@ on:
 env:
   GO_VERSION: '1.24'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest