Harden GitHub Workflows security

sashashura · cmb69 · commit 1d45ca58c86a · 2022-08-30T17:59:58.000+02:00
Co-authored-by: Michael Voříšek <mvorisek@mvorisek.cz> Closes GH-9440.
diff --git a/.github/workflows/close-needs-feedback.yml b/.github/workflows/close-needs-feedback.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - name: Close old issues that need feedback
         uses: dwieeb/needs-reply@v2
diff --git a/.github/workflows/close-stale-feature-requests.yml b/.github/workflows/close-stale-feature-requests.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v4
         with:
diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml
@@ -4,10 +4,16 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     if: github.repository_owner == 'php'
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v4
         with:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -3,6 +3,8 @@ on:
   schedule:
    - cron: "0 1 * * *"
   workflow_dispatch: ~
+permissions:
+  contents: read
 jobs:
   GENERATE_MATRIX:
     name: Generate Matrix
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -17,6 +17,8 @@ on:
   pull_request:
     branches:
       - '**'
+permissions:
+  contents: read
 jobs:
   LINUX_X64:
     strategy:
diff --git a/.github/workflows/remove-needs-feedback.yml b/.github/workflows/remove-needs-feedback.yml
@@ -5,10 +5,16 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+
 jobs:
   build:
     if: "github.repository_owner == 'php' && contains(github.event.issue.labels.*.name, 'Status: Needs Feedback') && github.event.issue.user.login == github.event.sender.login"
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions-ecosystem/action-remove-labels@v1
         with:
