tools: add read permission to workflows that read contents

aduh95 · targos · commit 2d5de7e30954 · 2025-05-16T07:07:01.000+02:00
Not having this permission is OK because the repo is public, but on private forks, it fails the checkout step. PR-URL: #58255 Reviewed-By: LiviaMedeiros <livia@cirno.name> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
diff --git a/.github/workflows/lint-release-proposal.yml b/.github/workflows/lint-release-proposal.yml
@@ -20,6 +20,7 @@ jobs:
   lint-release-commit:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
diff --git a/.github/workflows/notify-on-push.yml b/.github/workflows/notify-on-push.yml
@@ -32,6 +32,7 @@ jobs:
     if: github.repository == 'nodejs/node'
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       pull-requests: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
