From e56bd790215681698c0829c2af51954a1e696790 Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 10:35:02 +0000
Subject: [PATCH] ci(consistency): declare contents: read

The Consistency workflow runs lint / format / changelog-verify checks on
pull_request and push to main and doesn't touch the API. Mirror the
top-level permissions style already used in prepare-auto-release-branch.yml
and pin the default GITHUB_TOKEN to read-only.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/consistency.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/consistency.yml b/.github/workflows/consistency.yml
index 06b8c9d2644..d425771e36d 100644
--- a/.github/workflows/consistency.yml
+++ b/.github/workflows/consistency.yml
@@ -10,6 +10,9 @@ on:
   merge_group:
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   check-changes: