ci: set least-privilege contents:read permissions on openapi-lint workflow

Per CodeRabbit review on #13410. The job only checks out the repo and runs Spectral, so contents:read is sufficient and avoids inheriting any permissive repo/org default token scope.
2026-05-06 10:17:59 +08:00 · 2026-04-29 19:00:36 -07:00
parent 14ada4d29d
commit 2cf262fe67
1 changed files with 3 additions and 0 deletions
--- a/.github/workflows/openapi-lint.yml
+++ b/.github/workflows/openapi-lint.yml
@ -7,6 +7,9 @@ on:
      - '.spectral.yaml'
      - '.github/workflows/openapi-lint.yml'

+permissions:
+  contents: read
+
 jobs:
  spectral:
    name: Run Spectral