Make workflows safer

ondrejmirtes · ondrejmirtes · commit fecc19964d19 · 2026-02-24T09:45:14.000+01:00
diff --git a/.github/workflows/claude-fix-issue.yml b/.github/workflows/claude-fix-issue.yml
@@ -19,6 +19,10 @@ jobs:
     name: "Fix #${{ inputs.issue-number }}"
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 60
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: write
 
     steps:
       - name: "Checkout"
@@ -27,7 +31,6 @@ jobs:
           repository: phpstan/phpstan-src
           ref: "2.1.x"
           fetch-depth: 0
-          token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
 
       - name: "Install PHP"
         uses: "shivammathur/setup-php@v2"
@@ -45,7 +48,7 @@ jobs:
       - name: "Fetch issue details"
         id: issue
         env:
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ISSUE_NUMBER: ${{ inputs.issue-number }}
         run: |
           ISSUE_JSON=$(gh issue view "$ISSUE_NUMBER" \
@@ -158,7 +161,7 @@ jobs:
       - name: "Run Claude Code"
         env:
           CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config user.name "phpstan-bot"
           git config user.email "ondrej+phpstanbot@mirtes.cz"
@@ -196,7 +199,6 @@ jobs:
         id: create-pr
         uses: peter-evans/create-pull-request@v6
         with:
-          token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
           branch-suffix: random
           delete-branch: true
           title: "Fix #${{ inputs.issue-number }}: ${{ steps.issue.outputs.title }}"
diff --git a/.github/workflows/claude-fix-pr-ci.yml b/.github/workflows/claude-fix-pr-ci.yml
@@ -26,20 +26,24 @@ jobs:
           ignoreActions: "Wait for CI checks,Fix CI failure,Automerge PRs"
           checkInterval: 13
         env:
-          GITHUB_TOKEN: "${{ secrets.PHPSTAN_BOT_TOKEN }}"
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
   fix-ci:
     name: "Fix CI failure"
     needs: wait-for-checks
     if: needs.wait-for-checks.outputs.status == 'failure'
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 60
+    permissions:
+      contents: read
+      actions: read
+      pull-requests: write
 
     steps:
       - name: "Check fix attempt count"
         id: check-attempts
         env:
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           COMMITS=$(gh api "repos/${{ github.repository }}/pulls/$PR_NUMBER/commits?per_page=100" \
@@ -58,7 +62,7 @@ jobs:
         if: steps.check-attempts.outputs.skip != 'true'
         id: failures
         env:
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           FAILED_RUNS=$(gh api "repos/${{ github.repository }}/actions/runs?head_sha=$HEAD_SHA&status=failure&per_page=20" \
@@ -114,7 +118,6 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           fetch-depth: 0
-          token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
 
       - name: "Install PHP"
         if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true'
@@ -196,7 +199,7 @@ jobs:
         if: steps.check-attempts.outputs.skip != 'true' && steps.failures.outputs.skip != 'true'
         env:
           CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config user.name "phpstan-bot"
           git config user.email "ondrej+phpstanbot@mirtes.cz"
diff --git a/.github/workflows/claude-random-easy-fixes.yml b/.github/workflows/claude-random-easy-fixes.yml
@@ -18,6 +18,10 @@ jobs:
     outputs:
       matrix: ${{ steps.pick-issues.outputs.matrix }}
 
+    permissions:
+      contents: read
+      issues: read
+
     steps:
       - name: "Pick random Easy fix issues"
         id: pick-issues
diff --git a/.github/workflows/claude-react-on-comment.yml b/.github/workflows/claude-react-on-comment.yml
@@ -39,13 +39,17 @@ jobs:
     if: needs.check-trigger.outputs.triggered == 'true'
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 60
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+      id-token: write
 
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
 
       - name: "Install PHP"
         uses: "shivammathur/setup-php@v2"
@@ -61,7 +65,6 @@ jobs:
         uses: anthropics/claude-code-action@v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          github_token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
           trigger_phrase: "@phpstan-bot"
           claude_args: "--model claude-opus-4-6"
           bot_name: "phpstan-bot"
diff --git a/.github/workflows/issue-bot.yml b/.github/workflows/issue-bot.yml
@@ -236,12 +236,15 @@ jobs:
     if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'phpstan-bot'
     runs-on: blacksmith-4vcpu-ubuntu-2404
     timeout-minutes: 60
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: "Check for feedback loop"
         id: check
         env:
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           COMMIT_MSG=$(gh api "repos/${{ github.repository }}/commits/${{ github.event.pull_request.head.sha }}" --jq '.commit.message' 2>/dev/null || true)
           if [[ "$COMMIT_MSG" == "Add regression test for #"* ]]; then
@@ -257,7 +260,6 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           fetch-depth: 0
-          token: ${{ secrets.PHPSTAN_BOT_TOKEN }}
 
       - name: "Download step summary"
         if: steps.check.outputs.skip != 'true'
@@ -292,7 +294,7 @@ jobs:
         if: steps.check.outputs.skip != 'true'
         env:
           CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config user.name "phpstan-bot"
           git config user.email "ondrej+phpstanbot@mirtes.cz"
@@ -318,7 +320,7 @@ jobs:
       - name: "Update PR description"
         if: steps.check.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.PHPSTAN_BOT_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           BEFORE_SHA="${{ steps.before.outputs.sha }}"
           CURRENT_SHA="$(git rev-parse HEAD)"
