apply explicit permissions as per CodeQL suggestion

as per rule ID actions/missing-workflow-permissions
2026-03-05 13:30:32 -05:00 · 2025-10-10 15:07:44 +02:00
parent bab4d50cd4
commit 7eec8caae3
5 changed files with 20 additions and 0 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,10 @@ on:
  schedule:
    - cron: '28 22 * * 5'

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,8 +4,12 @@ on:
  push:
    tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'

+permissions: {}
+
 jobs:
  draft:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Fetch changelog from tag
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -8,6 +8,11 @@ on:
    branches: [ master ]
  pull_request:
    branches: [ master ]
+
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  # https://github.com/snyk/actions/tree/master/php
  snyk-php:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -1,8 +1,11 @@
 name: Tests
+
 on:
  push:
  workflow_dispatch:

+permissions: {}
+
 jobs:

  Composer:
--- a/codacy-analysis.yml
+++ b/codacy-analysis.yml
@@ -17,6 +17,10 @@ on:
  schedule:
    - cron: '45 16 * * 1'

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  codacy-security-scan:
    name: Codacy Security Scan