From 704457fa6c745dd4553f61c7a9bbf7c4d94e2fcf Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 11:01:01 +0000
Subject: [PATCH] ci(create-release-branch): pin contents: read

actions-create-release-branch uses secrets.ELEVATED_GITHUB_TOKEN for
the actual push, so the default GITHUB_TOKEN can stay scoped to
read-only. Matches the top-level pattern in acceptance-test.yml,
backport.yml, issue-comment-created.yml, etc.
---
 .github/workflows/create-release-branch.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml
index 1428c92b6..b2e06d7a4 100644
--- a/.github/workflows/create-release-branch.yml
+++ b/.github/workflows/create-release-branch.yml
@@ -1,5 +1,12 @@
 name: Create a release branch
 on: [workflow_dispatch]
+
+# The actions-create-release-branch step uses secrets.ELEVATED_GITHUB_TOKEN
+# to push the release branch; the default GITHUB_TOKEN only needs read
+# access for the checkout.
+permissions:
+  contents: read
+
 jobs:
   create-branch:
     runs-on: ubuntu-latest