chore: secure workflows permission

Author: ddevsr

.github/workflows/deploy-apidocs.yml

@@ -11,6 +11,10 @@ on:
       - 'system/**'
       - '.github/workflows/deploy-apidocs.yml'
 
+permissions:
+    contents: write
+    pull-requests: write
+
 jobs:
   build:
     name: Deploy to api

.github/workflows/deploy-distributables.yml

@@ -9,6 +9,8 @@ on:
 jobs:
   check-version:
     name: Check for updated version
+    permissions:
+      contents: read
     runs-on: ubuntu-22.04
 
     steps:
@@ -31,6 +33,10 @@ jobs:
 
   framework:
     name: Deploy to framework
+    permissions:
+      # Allow actions/github-script to create release
+      contents: write
+      pull-requests: write
     if: github.repository == 'codeigniter4/CodeIgniter4'
     runs-on: ubuntu-22.04
     needs: check-version
@@ -78,6 +84,10 @@ jobs:
 
   appstarter:
     name: Deploy to appstarter
+    permissions:
+      # Allow actions/github-script to create release
+      contents: write
+      pull-requests: write
     if: github.repository == 'codeigniter4/CodeIgniter4'
     runs-on: ubuntu-22.04
     needs: check-version
@@ -125,6 +135,10 @@ jobs:
 
   userguide:
     name: Deploy to userguide
+    permissions:
+      # Allow actions/github-script to create release
+      contents: write
+      pull-requests: write
     if: github.repository == 'codeigniter4/CodeIgniter4'
     runs-on: ubuntu-22.04
     needs: check-version

.github/workflows/deploy-userguide-latest.yml

@@ -15,6 +15,10 @@ on:
 jobs:
   build:
     name: Deploy to gh-pages
+    permissions:
+      # Allow ad-m/github-push-action to push commit to branch gh-pages
+      contents: write
+      pull-requests: write
     if: (github.repository == 'codeigniter4/CodeIgniter4')
     runs-on: ubuntu-latest
     steps:

.github/workflows/test-autoreview.yml

@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   auto-review-tests:
     uses: ./.github/workflows/reusable-serviceless-phpunit-test.yml # @TODO Extract to codeigniter4/.github repo

.github/workflows/test-coding-standards.yml

@@ -16,6 +16,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: PHP ${{ matrix.php-version }} Lint with PHP CS Fixer

.github/workflows/test-deptrac.yml

@@ -28,6 +28,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Architectural Inspection

.github/workflows/test-phpcpd.yml

@@ -27,6 +27,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Duplicate Code Detection

.github/workflows/test-phpstan.yml

@@ -31,6 +31,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: PHP ${{ matrix.php-versions }} Static Analysis

.github/workflows/test-phpunit.yml

@@ -31,6 +31,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # Any environment variables set in an env context defined at the workflow level
   # in the caller workflow are not propagated to the called workflow.

.github/workflows/test-rector.yml

@@ -33,6 +33,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: PHP ${{ matrix.php-versions }} Analyze code (Rector) on ${{ matrix.paths }}