apply explicit permissions as per CodeQL suggestion

as per rule ID actions/missing-workflow-permissions
2026-01-23 02:35:23 +00:00 · 2025-10-10 15:07:44 +02:00 · 2025-10-10 15:07:44 +02:00 · 51eff47614
commit 51eff47614
parent 7779f1ac65
5 changed files with 20 additions and 0 deletions
--- a/.github/workflows/codacy-analysis.yml
+++ b/.github/workflows/codacy-analysis.yml
@ -17,6 +17,10 @@ on:
  schedule:
    - cron: '45 16 * * 1'

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  codacy-security-scan:
    name: Codacy Security Scan
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -18,6 +18,10 @@ on:
  schedule:
    - cron: '28 22 * * 5'

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,8 +4,12 @@ on:
  push:
    tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'

+permissions: {}
+
 jobs:
  draft:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Fetch changelog from tag
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@ -8,6 +8,11 @@ on:
    branches: [ master ]
  pull_request:
    branches: [ master ]
+
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  # https://github.com/snyk/actions/tree/master/php
  snyk-php:
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -1,10 +1,13 @@
 name: Tests
+
 on:
  push:
  pull_request:
    branches: [ master ]
  workflow_dispatch:

+permissions: {}
+
 jobs:

  Composer: