Update 8hobbies/workflows digest to ad34dcf

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
8hobbies/workflows	action	digest	d1e85a0 → ad34dcf

---

Configuration

📅 Schedule: Branch creation - "on Sunday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

To fix the problem, explicitly declare a permissions block that grants only the minimal rights needed by this lint workflow. Since a lint job typically needs only to read the repository contents (and possibly packages), a conservative default is contents: read. This should be set at the root level of the workflow so it applies to all jobs, including the reusable one, unless that reusable workflow overrides it.

Concretely, in .github/workflows/lint.yml, add a permissions: mapping just below the name: Lint line and before the on: block. Use:

permissions:
  contents: read

This keeps existing functionality unchanged (linting still has read access to the repo) while ensuring the GITHUB_TOKEN is not granted unnecessary write permissions. No imports or additional methods are needed, only this YAML configuration change.

In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes to GITHUB_TOKEN. Declaring this at the top (workflow) level will apply to all jobs that don’t define their own permissions; declaring it inside a specific job will apply just to that job. Since this workflow only contains a single job run that reuses another workflow, the safest and clearest approach is to add a workflow-level permissions: block restricting permissions to read-only (contents: read), which aligns with the recommended minimal baseline when the workflow is not expected to modify repository state directly.

Concretely, in .github/workflows/publish-dry-run.yml, insert a permissions: section between the name: and on: keys (around line 17). Use:

permissions:
  contents: read

This documents that the workflow only needs read access to repository contents and prevents inadvertent elevation if repository/org defaults are broader. No imports, methods, or other definitions are needed; this is purely a YAML configuration change.

In general, the fix is to define an explicit permissions: block that limits the default GITHUB_TOKEN scope, either at the workflow root (applies to all jobs) or under the specific job. Because this workflow only has the single test job that delegates to a reusable workflow, the minimal and safest change is to add a root-level permissions: block with read-only defaults.

The best concrete fix without changing functionality is:

• Add a permissions: section between name: Runtime and on: (root-level).
• Set conservative defaults such as contents: read and packages: read, which match GitHub’s recommended minimal read-only permissions and should be sufficient for typical runtime/test workflows that only need to fetch code and packages.
• Leave the existing jobs.test.uses line unchanged so the workflow behavior is preserved; we are only constraining the GITHUB_TOKEN.

No additional imports, methods, or definitions are needed since this is a YAML workflow file.