ci: add workflow permissions (#588)

DanielleHuisman · web-flow · commit 18598ae6c22d · 2025-08-25T13:50:24.000Z
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
         branches:
             - main
 
+permissions:
+    contents: read
+
 env:
     RUSTFLAGS: '-Dwarnings'
 
@@ -19,13 +22,10 @@ jobs:
               uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: rustup toolchain install stable --no-self-update --profile default --target wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Check formatting
               run: cargo fmt --all --check
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -3,6 +3,10 @@ name: Labels
 on:
     workflow_dispatch:
 
+permissions:
+    contents: read
+    issues: write
+
 jobs:
     sync-labels:
         name: Sync Labels
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -5,6 +5,9 @@ on:
         branches:
             - main
 
+permissions:
+    contents: read
+
 concurrency:
     group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: false
@@ -13,19 +16,15 @@ jobs:
     book-test:
         name: Test Book
         runs-on: ubuntu-latest
+
         steps:
             - uses: actions/checkout@v5
 
             - name: Set up Rust toolchain
-              run: |
-                  rustup toolchain install stable --no-self-update --profile minimal
-                  rustup target add wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
@@ -41,21 +40,17 @@ jobs:
         name: Build Book
         needs: book-test
         runs-on: ubuntu-latest
+
         steps:
             - uses: actions/checkout@v5
               with:
                   fetch-depth: 0
 
             - name: Set up Rust toolchain
-              run: |
-                  rustup toolchain install stable --no-self-update --profile minimal
-                  rustup target add wasm32-unknown-unknown
-
-            - name: Set up Rust cache
-              uses: swatinem/rust-cache@v2
+              uses: actions-rust-lang/setup-rust-toolchain@v1
               with:
-                  cache-on-failure: true
-                  save-if: ${{ github.ref == 'refs/heads/main' }}
+                  components: clippy, rustfmt
+                  target: wasm32-unknown-unknown
 
             - name: Install Cargo Binary Install
               uses: cargo-bins/cargo-binstall@main
@@ -87,10 +82,12 @@ jobs:
         needs: book-build
         if: github.ref == 'refs/heads/main'
         runs-on: ubuntu-latest
+
         permissions:
             contents: read
             pages: write
             id-token: write
+
         steps:
             - uses: actions/checkout@v5
               with:
