ci(lint-and-built): cap GITHUB_TOKEN to contents: read (#50)

arpitjain099 · web-flow · commit 54667796f571 · 2026-05-26T13:21:05.000+09:00
Workflow runs checks only; no GitHub API writes. Post-CVE-2025-30066 hardening pattern. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
diff --git a/.github/workflows/lint-and-built.yml b/.github/workflows/lint-and-built.yml
@@ -10,6 +10,9 @@ on:
       - '*'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build-translation:
     runs-on: ubuntu-latest
