GitHub Workflows security hardening (#3081)

guzzle · Apr 17, 2023 · 5b71b8f · 5b71b8f
1 parent c6f3a35
commit 5b71b8f
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/.github/workflows/branch-alias.yml b/.github/workflows/branch-alias.yml
@@ -4,8 +4,13 @@ on:
   push:
     tags: ['*']
 
+permissions: {}
 jobs:
   branch-alias:
+    permissions:
+      contents: write  #  to create branch (peter-evans/create-pull-request)
+      pull-requests: write  #  to create a PR (peter-evans/create-pull-request)
+
     name: Update branch alias
     runs-on: ubuntu-22.04
 

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   composer-normalize:
     name: Composer Normalize

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read  #  to clone the repos and get release assets (shivammathur/setup-php)
+
 jobs:
   build-lowest-version:
     name: Build lowest version

diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
@@ -6,6 +6,9 @@ on:
       - master
   pull_request:
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   phpstan:
     name: PHPStan