Set explicit permissions for GitHub Actions workflows (#356)

picatz · web-flow · commit abb113defab4 · 2025-10-29T11:23:52.000-05:00
diff --git a/.github/workflows/build-gems.yml b/.github/workflows/build-gems.yml
@@ -5,6 +5,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build-platform-gems:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+
 jobs:
   build-lint-test:
     strategy:
diff --git a/.github/workflows/run-bench.yml b/.github/workflows/run-bench.yml
@@ -1,10 +1,13 @@
 name: Run Bench
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  run-bench:
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  run-bench:
     runs-on: ubuntu-latest-4-cores
     defaults:
       run:
@@ -47,4 +50,4 @@ jobs:
       - run: bundle exec ruby extra/simple_bench.rb --workflow-count 10000 --max-cached-workflows 10000 --max-concurrent 10000
 
       - run: bundle exec ruby extra/simple_bench.rb --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000
-      - run: bundle exec ruby extra/simple_bench.rb --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000
+      - run: bundle exec ruby extra/simple_bench.rb --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000
