From 10325d2436ed5eecebce1a4750bbfcbaabbc6bf1 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 10:40:20 +0900
Subject: [PATCH] ci: declare per-job permissions on tests-schedule workflow

The download job runs pytest against the dataset-download tests and,
on schedule failure, uses JasonEtco/create-an-issue to open a tracking
issue. That action's only API call is POST /repos/{owner}/{repo}/issues,
which needs issues:write. contents:read covers actions/checkout.

This matches the per-job permissions blocks already declared by the
reusable-test callers in this repo (id-token:write + contents:read on
build-cmake.yml, build-conda*.yml, etc).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/tests-schedule.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/tests-schedule.yml b/.github/workflows/tests-schedule.yml
index 50d22e63375..c3a9031acb2 100644
--- a/.github/workflows/tests-schedule.yml
+++ b/.github/workflows/tests-schedule.yml
@@ -13,6 +13,9 @@ on:
 jobs:
   download:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write # JasonEtco/create-an-issue opens a tracking issue on schedule failure
 
     steps:
       - name: Set up python