ci: declare contents:read on the lint job

arpitjain099 · arpitjain099 · commit 21e6ded9444a · 2026-05-14T15:14:55.000+09:00
The lint job only runs eslint after checkout + setup-node. No GitHub
API write. The block sits on the job rather than at workflow scope
because the `test` job uses pkgjs/action's reusable node-test
workflow, and adding a caller-level permissions block would
intersect with the callee's grant.

Style matches the workflow-level permissions block in commitlint.yml
(contents:read) and release-please.yml (id-token:write + contents:read).

Signed-off-by: Arpit Jain &lt;arpitjain099@gmail.com&gt;
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -10,6 +10,8 @@ jobs:
   lint:
     name: Lint using ESLint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v6
       - name: Use latest Node.js LTS
