Pin mitlibraries/.github action to 935e2fa

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
mitlibraries/.github	action	pinDigest	→ 935e2fa

---

Configuration

📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

In general, the fix is to explicitly set a permissions block that limits the GITHUB_TOKEN to the minimum scopes needed. This can be set at the workflow root (applies to all jobs that don’t override it) or for the specific job. Since this workflow only has a single job delegating to a reusable workflow, and we don’t see it requiring any write permissions, a safe and typical choice is to give read‑only access to repository contents (contents: read), which is the minimal commonly useful setting for CI jobs that only need to fetch code.

The best way to fix this file without changing existing behavior is to add a permissions block at the top level, between the on: section and jobs:, specifying contents: read. This documents the intended least privilege and ensures that, even if org/repo defaults change, this workflow will keep the restricted permissions. Concretely, in .github/workflows/mit-libraries-ruby-ci.yml, after line 5–6 (the pull_request branches section) and before line 8 (jobs:), insert:

permissions:
  contents: read

No imports or additional definitions are needed; this is just YAML configuration for GitHub Actions.