From 539bea9c5608c500f636051b3c0204e1dbd16116 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 09:57:43 +0900
Subject: [PATCH] ci: declare contents:read on slack-alert workflow

slack-alert runs on workflow_run, which executes with the elevated
default-branch context (not the read-only pull_request context). The
job only posts to a Slack webhook via SLACK_WEBHOOK_URL; it never
calls the GitHub API. Pinning the workflow to contents:read makes the
minimum-scope contract explicit, matching release.yml and website.yml
which already declare permissions blocks.

tests.yml uses actions/cache and is therefore left for a separate
change to avoid muddling the cache-write semantics here.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/slack-alert.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/slack-alert.yml b/.github/workflows/slack-alert.yml
index c2e03c1..2e8fd9f 100644
--- a/.github/workflows/slack-alert.yml
+++ b/.github/workflows/slack-alert.yml
@@ -5,6 +5,9 @@ on:
     workflows: [tests]
     types: [completed]
 
+permissions:
+  contents: read
+
 jobs:
   on-failure:
     runs-on: ubuntu-latest