Remove separator comments and add permissions to workflows

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Author: Copilot

.github/workflows/code-quality.yml

@@ -8,6 +8,9 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+
 jobs:
   code-quality:
     uses: wp-cli/.github/.github/workflows/reusable-code-quality.yml@main

.github/workflows/issue-triage.yml

@@ -13,6 +13,12 @@ name: Issue and PR Triage
         required: false
         type: string
 
+permissions:
+  issues: write
+  pull-requests: write
+  actions: write
+  contents: read
+
 jobs:
   issue-triage:
     uses: wp-cli/.github/.github/workflows/reusable-issue-triage.yml@main

.github/workflows/regenerate-readme.yml

@@ -10,6 +10,10 @@ on:
       - "features/**"
       - "README.md"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   regenerate-readme:
     uses: wp-cli/.github/.github/workflows/reusable-regenerate-readme.yml@main

.github/workflows/reusable-code-quality.yml

@@ -9,6 +9,9 @@ on:
         required: false
         default: ''
 
+permissions:
+  contents: read
+
 # Cancels all previous workflow runs for the same branch that have not yet completed.
 concurrency:
   # The concurrency group contains the workflow name and the branch name.
@@ -17,7 +20,7 @@ concurrency:
 
 jobs:
 
-  actionlint: #-----------------------------------------------------------------------
+  actionlint:
     name: Lint GitHub Actions workflows
     runs-on: ubuntu-latest
     steps:
@@ -34,7 +37,7 @@ jobs:
         with:
           args: -color -shellcheck=
 
-  lint: #-----------------------------------------------------------------------
+  lint:
     name: Lint PHP files
     runs-on: ubuntu-latest
     steps:
@@ -95,7 +98,7 @@ jobs:
         env:
           ADDITIONAL_EXCLUDES: ${{ inputs.parallel-lint-excludes }}
 
-  lint-gherkin: #----------------------------------------------------------------
+  lint-gherkin:
     name: Lint Gherkin Feature files
     runs-on: ubuntu-latest
     steps:
@@ -111,7 +114,7 @@ jobs:
       - name: Run linter
         run: npx --yes gherkin-lint -c $RUNNER_TEMP/.gherkin-lintrc
 
-  lint-spellcheck: #----------------------------------------------------------------
+  lint-spellcheck:
     name: Spell check
     runs-on: ubuntu-latest
     steps:
@@ -128,7 +131,7 @@ jobs:
         if: steps.check_files.outputs.files_exists == 'true'
         uses: crate-ci/typos@v1.42.1
 
-  phpcs: #----------------------------------------------------------------------
+  phpcs:
     name: PHPCS
     runs-on: ubuntu-latest
 
@@ -177,7 +180,7 @@ jobs:
             cs2pr /tmp/phpcs-checkstyle-report.xml
           fi
 
-  phpstan: #----------------------------------------------------------------------
+  phpstan:
     name: PHPStan
     runs-on: ubuntu-latest
 

.github/workflows/reusable-regenerate-readme.yml

@@ -3,6 +3,10 @@ name: Regenerate README file
 on:
   workflow_call:
 
+permissions:
+  contents: write
+  pull-requests: write
+
 # Cancels all previous workflow runs for the same branch that have not yet completed.
 concurrency:
   # The concurrency group contains the workflow name and the branch name.
@@ -12,7 +16,7 @@ concurrency:
 
 jobs:
 
-  regenerate-readme: #----------------------------------------------------------
+  regenerate-readme:
     name: Regenerate README.md file
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'wp-cli' && ! contains(fromJson('[".github", "wp-cli", "wp-cli-bundle", "wp-super-cache-cli", "php-cli-tools", "wp-config-transformer", "wp-cli.github.com"]'), github.event.repository.name) }}

.github/workflows/reusable-testing.yml

@@ -24,6 +24,9 @@ on:
         required: false
         default: '{ "include": [], "exclude": [] }'
 
+permissions:
+  contents: read
+
 # Cancels all previous workflow runs for the same branch that have not yet completed.
 concurrency:
   # The concurrency group contains the workflow name and the branch name.
@@ -277,7 +280,7 @@ jobs:
           BASE_MATRIX: ${{ needs.get-matrix.outputs.matrix }}
           FILE_EXISTS: ${{ steps.check_files.outputs.files_exists == 'true' }}
 
-  unit: #-----------------------------------------------------------------------
+  unit:
     needs: prepare-unit
     if: ${{ needs.prepare-unit.outputs.matrix != '' }}
     name: Unit test /  PHP ${{ matrix.php }}${{ matrix.coverage && ' (with coverage)' || '' }} ${{ startsWith( matrix.os, 'windows' ) && '(Windows)' || '' }} ${{ startsWith( matrix.os, 'macos' ) && '(macOS)' || '' }}
@@ -341,7 +344,7 @@ jobs:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
 
-  prepare-functional: #---------------------------------------------------------
+  prepare-functional:
     name: Prepare matrix for functional tests
     needs: get-matrix
     runs-on: ubuntu-22.04
@@ -397,7 +400,7 @@ jobs:
           BASE_MATRIX: ${{ needs.get-matrix.outputs.matrix }}
           FILE_EXISTS: ${{ steps.check_files.outputs.files_exists == 'true' }}
 
-  functional: #-----------------------------------------------------------------
+  functional:
     needs: prepare-functional
     if: ${{ needs.prepare-functional.outputs.matrix != '' }}
     name: Functional - WP ${{ matrix.wp }} on PHP ${{ matrix.php }} with ${{ matrix.dbtype != 'sqlite' && matrix.mysql || 'SQLite' }}${{ matrix.coverage && ' (with coverage)' || '' }} ${{ startsWith( matrix.os, 'windows' ) && '(Windows)' || '' }} ${{ startsWith( matrix.os, 'macos' ) && '(macOS)' || '' }}

.github/workflows/sync-workflows.yml

@@ -9,9 +9,12 @@ on:
   schedule:
     - cron:  '*/10 * * * *' # Run every 10 minutes.
 
+permissions:
+  contents: write
+
 jobs:
 
-  sync-workflows: #-------------------------------------------------------------
+  sync-workflows:
     name: Sync GitHub Actions workflows
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'wp-cli' }}
@@ -75,7 +78,7 @@ jobs:
             wp-cli/wp-super-cache-cli
           GITHUB_TOKEN: ${{ secrets.ACTIONS_BOT }}
 
-  sync-dependabot: #------------------------------------------------------------
+  sync-dependabot:
     name: Sync Dependabot configuration
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'wp-cli' }}

.github/workflows/testing.yml

@@ -10,6 +10,9 @@ on:
   schedule:
     - cron:  '17 1 * * *' # Run every day on a seemly random time.
 
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: wp-cli/.github/.github/workflows/reusable-testing.yml@main

.github/workflows/welcome-new-contributors.yml

@@ -7,6 +7,9 @@ on:
       - main
       - master
 
+permissions:
+  pull-requests: write
+
 jobs:
   welcome:
     uses: wp-cli/.github/.github/workflows/reusable-welcome-new-contributors.yml@main