Add explicit permissions to GitHub workflows (#1764)

Fix code scanning alert about unlimited permissions by applying the
principle of least privilege to all workflow jobs. Each job now has
only the permissions it actually needs (contents: read for checkout
and build operations). The rules workflow gets empty permissions as
it only runs shell scripts without needing repository access.

Committed-By-Agent: claude

Author: mbroshi-stripe

.github/workflows/ci.yml

@@ -18,10 +18,14 @@ on:
       - sdk-release/**
       - feature/**
 
+permissions: {}
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
     - uses: extractions/setup-just@v2
@@ -44,6 +48,8 @@ jobs:
     name: Test (${{ matrix.ruby-version }})
     # this version of jruby isn't available in the new latest (24.04) so we have to pin (or update jruby)
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     strategy:
       matrix:
         # following https://docs.stripe.com/sdks/versioning?lang=ruby#stripe-sdk-language-version-support-policy
@@ -69,6 +75,8 @@ jobs:
       endsWith(github.actor, '-stripe')
     needs: [build, test]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
     - name: Download all workflow run artifacts
       uses: actions/download-artifact@v4

.github/workflows/rules.yml

@@ -7,6 +7,8 @@ on:
     types:
       - auto_merge_enabled
 
+permissions: {}
+
 jobs:
   require_merge_commit_on_merge_script_pr:
     name: Merge script PRs must create merge commits