ci: add explicit GITHUB_TOKEN permissions to nightly and cargo workflows

arpitjain099 · arpitjain099 · commit 975e1311c8d9 · 2026-05-13T06:59:06.000Z
nightly.yaml is a stub that just echoes a redirect message and exits 1 (the
real workflow lives on the test-matrix branch). It doesn't need any
GITHUB_TOKEN scope, so permissions: {}.

rust.yml runs cargo test + cargo build + cmake test on every push/PR. Two
jobs, both pure CI - contents: read is enough.

The mdbook.yaml workflow already declares explicit permissions for the
GitHub Pages deployment; this aligns the remaining cargo + nightly
workflows with that pattern.

Signed-off-by: Arpit Jain &lt;arpitjain099@gmail.com&gt;
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -5,6 +5,8 @@ name: Crubit Nightly Test Matrix
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   use-test-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -12,6 +12,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 # LINT.IfChange
 jobs:
   test:
