From 1b706f9d548aa469ae32e10994a7b1ecb88d7f63 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 09:59:00 +0900
Subject: [PATCH] ci: declare workflow-scope permissions on three maintenance
 workflows

update-cargo-lock, update-yarn-lock and the vscode publish workflow
all run with whatever scope the repository default grants. None of
them rely on the workflow's own GITHUB_TOKEN:

- update-cargo-lock.yml and update-yarn-lock.yml use RELAY_BOT_GITHUB_PAT
  for peter-evans/create-pull-request, so the workflow token only needs
  contents:read for actions/checkout.
- vscode.yml uses VSCE_PAT for vsce publish, so contents:read again
  suffices for the workflow token.

Pinning the read-only scope brings these three in line with ci.yml,
which already declares per-job permissions blocks, and with
docusaurus.yml, which uses a workflow-level permissions block.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/update-cargo-lock.yml | 3 +++
 .github/workflows/update-yarn-lock.yml  | 3 +++
 .github/workflows/vscode.yml            | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/update-cargo-lock.yml b/.github/workflows/update-cargo-lock.yml
index cdaed996bc0f2..f70554386dcaf 100644
--- a/.github/workflows/update-cargo-lock.yml
+++ b/.github/workflows/update-cargo-lock.yml
@@ -12,6 +12,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   update-cargo-lock:
     name: Update Cargo.lock file
diff --git a/.github/workflows/update-yarn-lock.yml b/.github/workflows/update-yarn-lock.yml
index a3b17ecd851e1..b4e5b0923257e 100644
--- a/.github/workflows/update-yarn-lock.yml
+++ b/.github/workflows/update-yarn-lock.yml
@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   update-yarn-lock:
     name: Update yarn.lock file
diff --git a/.github/workflows/vscode.yml b/.github/workflows/vscode.yml
index 524aea6ffbd33..baf6ce12d4d0c 100644
--- a/.github/workflows/vscode.yml
+++ b/.github/workflows/vscode.yml
@@ -2,6 +2,9 @@ name: Publish Relay VS Code Extension
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   vscode-release:
     name: VSCode Extension Release