Keep the good

yoanm · yoanm · commit 31c54b80b2a5 · 2025-08-31T17:49:46.000+02:00
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -20,6 +20,9 @@ on: # Build any PRs and main branch changes
   schedule:
     - cron: '0 0 1 * *' # Every month
 
+permissions:
+  contents: read
+
 concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -8,6 +8,9 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'yoanm/symfony-jsonrpc-http-server'
     steps:
       - name: Dependabot metadata
diff --git a/.github/workflows/coverage-upload.yml b/.github/workflows/coverage-upload.yml
@@ -4,6 +4,10 @@ on:
     workflows: ["CI"]
     types: [completed]
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 jobs:
   upload:
     name: Upload
diff --git a/.github/workflows/pre-check-CI-updates.yml b/.github/workflows/pre-check-CI-updates.yml
@@ -18,6 +18,10 @@ on:
       - '.github/workflows/reusable-coverage-upload-workflow.yml'
       - '.github/workflows/auto-merge-dependabot.yml'
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 concurrency:
   group: "${{ github.workflow }}-${{ github.head_ref || github.ref }}"
   cancel-in-progress: true
diff --git a/.github/workflows/reusable-CI-workflow.yml b/.github/workflows/reusable-CI-workflow.yml
@@ -3,6 +3,9 @@ name: 'CI reusable workflow'
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 env:
   COMPOSER_PREFER_STABLE: '1'
   TEST_OUTPUT_STYLE: pretty
@@ -11,6 +14,8 @@ jobs:
   fetch-supported-versions:
     name: Fetch supported versions
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       php-min: ${{ steps.fetch-php-versions.outputs.min }}
       php-max: ${{ steps.fetch-php-versions.outputs.max }}
@@ -25,6 +30,7 @@ jobs:
         with:
           dependency: php
           path: .github/workflows/supported-versions.json
+
       - name: Fetch Symfony supported versions
         id: fetch-symfony-versions
         uses: yoanm/gha-supported-versions-parser@feature/init
@@ -36,6 +42,8 @@ jobs:
     name: ${{ matrix.job-name }}
     needs: [fetch-supported-versions]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       COVERAGE_TYPE: none
       COVERAGE_OUTPUT_STYLE: clover
@@ -157,6 +165,8 @@ jobs:
     name: Static analysis
     needs: [fetch-supported-versions]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     env:
       PHP_VERSION: ${{ needs.fetch-supported-versions.outputs.php-max }}
       SYMFONY_VERSION: ${{ needs.fetch-supported-versions.outputs.symfony-max }}
@@ -209,6 +219,9 @@ jobs:
     needs: [ fetch-supported-versions, tests ]
     runs-on: ubuntu-latest
     continue-on-error: true
+    permissions:
+      contents: read
+      checks: write # For the check run creation !
     env:
       COMPOSER_IGNORE_PLATFORM_REQ: 'php+'
     strategy:
diff --git a/.github/workflows/reusable-coverage-upload-workflow.yml b/.github/workflows/reusable-coverage-upload-workflow.yml
@@ -8,6 +8,10 @@ on:
       CODECOV_TOKEN:
         required: true
 
+permissions:
+  contents: read
+  checks: write # For the check run creation !
+
 jobs:
   fetch-info:
     name: Fetch triggering workflow metadata
