chore: GH workflow permissions (#532)

jkowalleck · web-flow · commit e7cc5d4a54ff · 2025-05-12T13:18:27.000+02:00
Signed-off-by: Jan Kowalleck &lt;jan.kowalleck@gmail.com&gt;
diff --git a/.github/workflows/php-dev.yml b/.github/workflows/php-dev.yml
@@ -26,6 +26,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   PHP_VERSION_LATEST: "8.4"
   PHP_PROJECT_EXT: dom,filter,json,libxml,simplexml  # via `composer info -pt`
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -17,6 +17,8 @@ concurrency:
   group: '${{ github.workflow }}-${{ github.ref }}'
   cancel-in-progress: true
 
+permissions: {}
+
 env:
   PHP_VERSION_LOWEST: "8.1"  # lowest supported
   PHP_VERSION_LATEST: "8.4"  # highest supported
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,10 +26,14 @@ name: Release
 on:
   workflow_dispatch
 
+permissions: {}
+
 jobs:
   release:
     name: Release
-    permissions: write-all
+    permissions:
+      id-token: write
+      contents: write  # to create a release
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
