From c8df34668df297ff2039fe26c3439ea7ccc91725 Mon Sep 17 00:00:00 2001
From: Jonathan Zhang <topcoder1@gmail.com>
Date: Sun, 3 May 2026 16:57:20 -0700
Subject: [PATCH] ci(lint): grant pull-requests: read for prettier_changed_only
 mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Required by topcoder1/ci-workflows#29 (merged 2026-05-03), which
adds a prettier_changed_only mode that lists PR-changed files via
`gh api .../pulls/N/files`. Without this permission the reusable
workflow falls back to full-glob mode and emits a ::warning:: on
every PR — functional but noisy.

Strictly grants an additional read scope, no privilege escalation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/lint.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4f9cc1e..355a035 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -14,6 +14,9 @@ on:
 
 permissions:
   contents: read
+  # Required by topcoder1/ci-workflows lint.yml prettier_changed_only mode
+  # (default true) so the reusable can call gh api .../pulls/N/files.
+  pull-requests: read
 
 jobs:
   lint: