VLN-492: Set explicit permissions for GitHub Actions workflows (#1199)

picatz · web-flow · commit 660ac2b87de4 · 2025-10-30T11:29:08.000-07:00
* Set explicit permissions for GitHub Actions workflows This change was made by an automated process to ensure all GitHub Actions workflows have explicitly defined permissions as per best practices. * Add `actions: read` to use `temporalio/features` Following the same fix done here: temporalio/sdk-dotnet#556 After this was landed: temporalio/features#693
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -5,6 +5,9 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+
 jobs:
   # Compile the binaries and upload artifacts
   compile-binaries:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  actions: read
+
 env:
   COLUMNS: 120
 
diff --git a/.github/workflows/nightly-throughput-stress.yml b/.github/workflows/nightly-throughput-stress.yml
@@ -26,7 +26,7 @@ on:
         type: number
 
 permissions:
-    contents: read
+  contents: read
 
 env:
   # Workflow configuration
@@ -173,4 +173,4 @@ jobs:
               ]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,6 +5,9 @@ on:
     # (12 AM PST)
     - cron: "00 07 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   nightly:
     uses: ./.github/workflows/run-bench.yml
diff --git a/.github/workflows/omes.yml b/.github/workflows/omes.yml
@@ -5,6 +5,10 @@ on:
       - main
       - "releases/*"
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   omes-image-build:
     uses: temporalio/omes/.github/workflows/docker-images.yml@main
diff --git a/.github/workflows/run-bench.yml b/.github/workflows/run-bench.yml
@@ -18,6 +18,9 @@ on:
           - "--sandbox"
           - "--no-sandbox"
 
+permissions:
+  contents: read
+
 jobs:
   run-bench:
     strategy:
@@ -68,4 +71,4 @@ jobs:
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 10000 --max-concurrent 10000 ${{ inputs.sandbox-arg }}
 
       - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
-      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}
+      - run: poe run-bench --workflow-count 10000 --max-cached-workflows 1000 --max-concurrent 1000 ${{ inputs.sandbox-arg }}

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ on:`
`26`	`26`	`type: number`
`27`	`27`
`28`	`28`	`permissions:`
`29`		`- contents: read`
	`29`	`+ contents: read`
`30`	`30`
`31`	`31`	`env:`
`32`	`32`	`# Workflow configuration`
`@@ -173,4 +173,4 @@ jobs:`
`173`	`173`	`]`
`174`	`174`	`}`
`175`	`175`	`env:`
`176`		`- SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}`
	`176`	`+ SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SDK_ALERTS_WEBHOOK }}`