From fb693143eefd70868333ef3491a0acf0adda9a02 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 28 May 2026 15:15:56 +0900
Subject: [PATCH] ci: declare minimal workflow-level permissions on leaf
 workflows

Per maintainer request on #3838, extends least-privilege permissions to the remaining directly-triggered (leaf) workflows that lacked them:

- htmlvalidator.yml: contents: read (read-only HTML validation on PRs)
- pr-checks.yml: contents: read + issues: read (orchestrator; this is the minimal union its reusable workflows declare - checkVersions {}, verifyFreezePeriod issues: read, checkMergeCommits contents: read - so no write scope is needed)
- licensecheck.yml: top-level contents: read default; the call-license-check job keeps its explicit pull-requests: write

Left the reusable workflows (on: workflow_call) and the bot-PAT writer leaves (callUpdateTarget, version-increments) untouched, since their permissions intersect with caller grants and the maintainers are best placed to set those.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/htmlvalidator.yml | 3 +++
 .github/workflows/licensecheck.yml  | 3 +++
 .github/workflows/pr-checks.yml     | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/htmlvalidator.yml b/.github/workflows/htmlvalidator.yml
index ee62b914d7d..2729ec80fb4 100644
--- a/.github/workflows/htmlvalidator.yml
+++ b/.github/workflows/htmlvalidator.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - '**.htm*'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/licensecheck.yml b/.github/workflows/licensecheck.yml
index 5788e0debf7..32b1b9e134e 100644
--- a/.github/workflows/licensecheck.yml
+++ b/.github/workflows/licensecheck.yml
@@ -14,6 +14,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   call-license-check:
     permissions:
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index a33fd24222a..f542e336227 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -9,6 +9,10 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+  issues: read
+
 jobs:
   check-freeze-period:
     uses: ./.github/workflows/verifyFreezePeriod.yml