From 7d20b6278553bf1120b19fdbb7f099602108bd83 Mon Sep 17 00:00:00 2001
From: Justin Beckwith <jbeckwith@openai.com>
Date: Wed, 24 Jun 2026 13:40:48 -0700
Subject: [PATCH] Harden GitHub Actions permissions

---
 .github/workflows/ci.yml              | 13 +++++++++++++
 .github/workflows/create-releases.yml |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fa3c596f..408b1eb4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ on:
       - 'stl-preview-head/**'
       - 'stl-preview-base/**'
 
+permissions: {}
+
 jobs:
   build:
     timeout-minutes: 10
@@ -27,6 +29,8 @@ jobs:
       (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@c515ec17f69368147deb311832da000dd229d338 # v1
         with:
@@ -56,11 +60,15 @@ jobs:
   lint:
     timeout-minutes: 10
     name: lint
+    permissions:
+      contents: read
     runs-on: ${{ github.repository == 'stainless-sdks/openai-ruby' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@c515ec17f69368147deb311832da000dd229d338 # v1
         with:
@@ -73,6 +81,8 @@ jobs:
   test-ruby:
     timeout-minutes: 10
     name: test (ruby ${{ matrix.ruby-version }})
+    permissions:
+      contents: read
     runs-on: ${{ github.repository == 'stainless-sdks/openai-ruby' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
     strategy:
@@ -81,6 +91,8 @@ jobs:
         ruby-version: ['3.2', '3.3', '3.4', '4.0']
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@c515ec17f69368147deb311832da000dd229d338 # v1
         with:
@@ -95,6 +107,7 @@ jobs:
     name: test
     needs: test-ruby
     if: ${{ always() && needs.test-ruby.result != 'skipped' }}
+    permissions: {}
     runs-on: ${{ github.repository == 'stainless-sdks/openai-ruby' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     steps:
       - if: ${{ needs.test-ruby.result == 'failure' || needs.test-ruby.result == 'cancelled' }}
diff --git a/.github/workflows/create-releases.yml b/.github/workflows/create-releases.yml
index b76d4146..1c0709ff 100644
--- a/.github/workflows/create-releases.yml
+++ b/.github/workflows/create-releases.yml
@@ -11,6 +11,8 @@ on:
         default: false
         type: boolean
 
+permissions: {}
+
 jobs:
   release:
     name: release