From 0b8fa0f36121acec22df3dd7bd281ea0f64b42a2 Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Tue, 26 May 2026 08:05:09 +0900
Subject: [PATCH] ci: declare workflow-level contents: read on protocol and
 truffleruby

Workflow runs checks only; no GitHub API writes from the workflow itself. Post-CVE-2025-30066 hardening pattern. yaml.safe_load validated.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/protocol.yml    | 3 +++
 .github/workflows/truffleruby.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/protocol.yml b/.github/workflows/protocol.yml
index fb9c3b204..666ab4375 100644
--- a/.github/workflows/protocol.yml
+++ b/.github/workflows/protocol.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   ruby-versions:
     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
diff --git a/.github/workflows/truffleruby.yml b/.github/workflows/truffleruby.yml
index 2d05d2ce7..a3ec885bd 100644
--- a/.github/workflows/truffleruby.yml
+++ b/.github/workflows/truffleruby.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read
+
 jobs:
   truffleruby:
     runs-on: ubuntu-latest