From 21e6ded9444a29a42f82e4e84ee522684efaa619 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 15:14:55 +0900
Subject: [PATCH] ci: declare contents:read on the lint job

The lint job only runs eslint after checkout + setup-node. No GitHub
API write. The block sits on the job rather than at workflow scope
because the `test` job uses pkgjs/action's reusable node-test
workflow, and adding a caller-level permissions block would
intersect with the callee's grant.

Style matches the workflow-level permissions block in commitlint.yml
(contents:read) and release-please.yml (id-token:write + contents:read).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/nodejs.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index cf85f643..d49698a6 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -10,6 +10,8 @@ jobs:
   lint:
     name: Lint using ESLint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - name: Use latest Node.js LTS