Harden GitHub Workflows security

Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz> Closes GH-9440.
2025-08-16 05:58:45 +02:00 · 2022-08-28 18:20:03 +02:00 · 2022-08-28 18:20:03 +02:00 · 1d45ca58c8
commit 1d45ca58c8
parent a1b23be6bf
6 changed files with 28 additions and 0 deletions
--- a/.github/workflows/close-needs-feedback.yml
+++ b/.github/workflows/close-needs-feedback.yml
@ -4,10 +4,16 @@ on:
  schedule:
    - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  build:
    if: github.repository_owner == 'php'
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - name: Close old issues that need feedback
        uses: dwieeb/needs-reply@v2
--- a/.github/workflows/close-stale-feature-requests.yml
+++ b/.github/workflows/close-stale-feature-requests.yml
@ -4,10 +4,16 @@ on:
  schedule:
    - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
    if: github.repository_owner == 'php'
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - uses: actions/stale@v4
        with:
--- a/.github/workflows/close-stale-prs.yml
+++ b/.github/workflows/close-stale-prs.yml
@ -4,10 +4,16 @@ on:
  schedule:
    - cron: "0 0 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:
    if: github.repository_owner == 'php'
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - uses: actions/stale@v4
        with:
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -3,6 +3,8 @@ on:
  schedule:
   - cron: "0 1 * * *"
  workflow_dispatch: ~
+permissions:
+  contents: read
 jobs:
  GENERATE_MATRIX:
    name: Generate Matrix
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@ -17,6 +17,8 @@ on:
  pull_request:
    branches:
      - '**'
+permissions:
+  contents: read
 jobs:
  LINUX_X64:
    strategy:
--- a/.github/workflows/remove-needs-feedback.yml
+++ b/.github/workflows/remove-needs-feedback.yml
@ -5,10 +5,16 @@ on:
    types:
      - created

+permissions:
+  contents: read
+
 jobs:
  build:
    if: "github.repository_owner == 'php' && contains(github.event.issue.labels.*.name, 'Status: Needs Feedback') && github.event.issue.user.login == github.event.sender.login"
    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
    steps:
      - uses: actions-ecosystem/action-remove-labels@v1
        with: