From f5ff425d4da49bf724676e83fd3d6d16659b0ad3 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 03:03:51 +0900
Subject: [PATCH] ci: declare contents: read on ci.yml and codespell.yml

Both workflows do checkout + build/test (ci.yml) or checkout + codespell
scan (codespell.yml). Neither pushes commits or calls write APIs.
codeql.yml in this repo already declares workflow-level contents: read;
this brings the remaining two in line.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/ci.yml        | 3 +++
 .github/workflows/codespell.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b56bcf39..519be07e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
 
   checks:
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index 60c6c95f..b80fef70 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: Check for spelling errors