From a2b22ba7f85e9ccc71c5a0ca434560169b051c85 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 09:50:45 +0900
Subject: [PATCH] ci: declare minimum permissions on lint-pr-name workflow

The lint-pr-name workflow triggers on pull_request_target, which runs
with the default GITHUB_TOKEN scopes for the base repo rather than the
read-only scopes used for pull_request from forks. Pinning the token
to contents:read + pull-requests:write narrows the blast radius if a
referenced third-party action (amannn/action-semantic-pull-request,
marocchino/sticky-pull-request-comment) is ever compromised, while
preserving the comment-sticky behaviour the job already relies on.

This mirrors the style used in pull-requests.yaml (workflow-level
permissions block).

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/lint-pr-name.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/lint-pr-name.yaml b/.github/workflows/lint-pr-name.yaml
index 412d5d8..8cdd9d2 100644
--- a/.github/workflows/lint-pr-name.yaml
+++ b/.github/workflows/lint-pr-name.yaml
@@ -7,6 +7,10 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   main:
     name: Validate PR title