From 9f7378f4974626c8f533c43a9edea53194a31b48 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 11:51:56 +0900
Subject: [PATCH] ci: declare contents:read on test_old_cpu workflow

The test_old_cpu matrix runs Intel SDE-emulated tests on Sandy Bridge
and Haswell baselines. No GitHub API write. contents:read is the floor.

Style matches the per-job permissions block in build_wheels.yml
(id-token:write for trusted publishing) and the workflow-level shape
used by big_endian.yml, build_docs.yml, typecheck.yml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/test_old_cpu.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test_old_cpu.yml b/.github/workflows/test_old_cpu.yml
index 476a876..16a8b37 100644
--- a/.github/workflows/test_old_cpu.yml
+++ b/.github/workflows/test_old_cpu.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test_old_cpu:
     name: Test on ${{ matrix.cpu[1] }}