Set explicit permissions for GitHub Actions workflows

picatz · picatz · commit 9cb26e029167 · 2025-10-29T12:01:52.000-04:00
This change was made by an automated process to ensure all GitHub Actions workflows have explicitly defined permissions as per best practices.
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -5,6 +5,9 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+
 jobs:
   # Compile the binaries and upload artifacts
   compile-binaries:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+
 env:
   COLUMNS: 120
 
diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml
@@ -25,6 +25,9 @@ on:
         default: 360
         type: number
 
+permissions:
+  contents: read
+
 env:
   # Workflow configuration
   TEST_DURATION: ${{ inputs.duration || vars.NIGHTLY_TEST_DURATION || '5h' }}
@@ -170,4 +173,4 @@ jobs:
               ]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,6 +5,9 @@ on:
     # (12 AM PST)
     - cron: "00 07 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
     uses: ./.github/workflows/run-bench.yml
diff --git a/.github/workflows/omes.yml b/.github/workflows/omes.yml
@@ -5,6 +5,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   omes-image-build:
     uses: temporalio/omes/.github/workflows/docker-images.yml@main
diff --git a/.github/workflows/run-bench.yml b/.github/workflows/run-bench.yml
@@ -18,6 +18,9 @@ on:
           - "--sandbox"
           - "--no-sandbox"
 
+permissions:
+  contents: read
+
 jobs:
   run-bench:
     strategy:
@@ -68,4 +71,4 @@ jobs:
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 10000 --max-concurrent 10000 ${{ inputs.sandbox-arg }}
 
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
-      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
+      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,9 @@ on:`
`25`	`25`	`default: 360`
`26`	`26`	`type: number`
`27`	`27`
	`28`	`+permissions:`
	`29`	`+ contents: read`
	`30`	`+`
`28`	`31`	`env:`
`29`	`32`	`# Workflow configuration`
`30`	`33`	`TEST_DURATION: ${{ inputs.duration \|\| vars.NIGHTLY_TEST_DURATION \|\| '5h' }}`
`@@ -170,4 +173,4 @@ jobs:`
`170`	`173`	`]`
`171`	`174`	`}`
`172`	`175`	`env:`
`173`		`- SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}`
	`176`	`+ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}`