From 6155ab7f5429ce1a7003074ffecf36747070d65e Mon Sep 17 00:00:00 2001
From: Arpit Jain <arpitjain099@gmail.com>
Date: Thu, 14 May 2026 11:33:09 +0900
Subject: [PATCH] ci: declare contents:read on Flash Attention Benchmark
 workflow

The benchmark-flash-attn job clones this repo, clones Dao-AILab/flash-attention
into a sibling path, and runs benchmarks on linux.dgx.b200.8. No GitHub API
write beyond actions/checkout.

Style matches the per-job permissions blocks already used by
tritonbench.yml, vllm-benchmark.yml, and the other hardened workflows in
this repo (typically id-token:write + contents:read).

inductor.yml is the other workflow without permissions, but it's a caller
of pytorch/test-infra/.github/workflows/linux_job.yml@main, so adding
permissions there would intersect with the reusable workflow's grant.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/flash_attention.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/flash_attention.yml b/.github/workflows/flash_attention.yml
index 201aaff1..feefc072 100644
--- a/.github/workflows/flash_attention.yml
+++ b/.github/workflows/flash_attention.yml
@@ -17,6 +17,8 @@ jobs:
   benchmark-flash-attn:
     name: Flash Attention CuTe DSL Benchmark
     runs-on: linux.dgx.b200.8
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4