From 0c41d735aa3b8f1b315c8d06532177c653e76ebf Mon Sep 17 00:00:00 2001 From: minagishl Date: Mon, 29 Jun 2026 11:15:19 +0900 Subject: [PATCH] ci: restrict bench workflow token permissions Limit GITHUB_TOKEN to contents:read and disable credential persistence on checkout steps for defense in depth. --- .github/workflows/bench.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index ed8d48e..cc21849 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -34,6 +34,9 @@ concurrency: group: bench-${{ github.repository }} cancel-in-progress: true +permissions: + contents: read + jobs: bench: runs-on: ubuntu-latest @@ -44,18 +47,21 @@ jobs: uses: actions/checkout@v4 with: path: workspace/benchmark + persist-credentials: false - name: Checkout twilic-js uses: actions/checkout@v4 with: repository: ${{ github.repository_owner }}/twilic-js path: workspace/twilic-js + persist-credentials: false - name: Checkout twilic-rust uses: actions/checkout@v4 with: repository: ${{ github.repository_owner }}/twilic-rust path: workspace/twilic-rust + persist-credentials: false - name: Setup pnpm uses: pnpm/action-setup@v4