Diff - 010fde9a18979896ee135d87627cf226e759ab81^! - third_party/github/protocolbuffers/protobuf

commit	010fde9a18979896ee135d87627cf226e759ab81	[log] [tgz]
author	Joyce <joycebrum@google.com>	Mon Jun 05 13:54:01 2023 -0700
committer	Copybara-Service <copybara-worker@google.com>	Mon Jun 05 13:56:32 2023 -0700
tree	516c9b439509d7be40b161252444df895fbdbe27
parent	0b9b5da7a7cbc4ef62cec05e277ab9e7b395d0c2 [diff] [blame]

Set top level permissions to read only on GitHub Workflows (#12971)

Hi, here is Joyce from Google again.

I'd like starting suggesting the [Token-Permission check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) fix.

Let me know if I might be missing any permission. Thanks!

### Security Reason

This is needed because, by default, github grants write-all permission to all workflows, which could be exploit by an attacker in case of a compromised workflow. Limiting permissions is a simple and effective way to also limit the impact of an eventual compromised workflow.

Thus, it is both a recommendation from [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and the [Github](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to always use credentials that are minimally scoped.

Closes #12971

COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/12971 from joycebrum:main 6d6dac5678956c6172831dd54dbda063f452380c
PiperOrigin-RevId: 537973051

diff --git a/.github/workflows/test_ruby.yml b/.github/workflows/test_ruby.yml
index 45b9a1e..24b4122 100644
--- a/.github/workflows/test_ruby.yml
+++ b/.github/workflows/test_ruby.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     strategy: