From 9624a88c9cd9a50c22443fcdf3a0f77634b11210 Mon Sep 17 00:00:00 2001
From: Michi Hoffmann <cleptric@users.noreply.github.com>
Date: Mon, 6 Nov 2023 13:04:44 +0100
Subject: [PATCH] Add permissions to GitHub actions (#791)

---
 .github/workflows/ci.yaml              | 3 +++
 .github/workflows/cs.yaml              | 3 +++
 .github/workflows/publish-release.yaml | 3 +++
 .github/workflows/static-analysis.yaml | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index c9a9acb1..c862adeb 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,6 +7,9 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   phpunit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cs.yaml b/.github/workflows/cs.yaml
index de4b6372..c6daa762 100644
--- a/.github/workflows/cs.yaml
+++ b/.github/workflows/cs.yaml
@@ -7,6 +7,9 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   php-cs-fixer:
     name: PHP-CS-Fixer
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
index 80a6975b..7a42a89a 100644
--- a/.github/workflows/publish-release.yaml
+++ b/.github/workflows/publish-release.yaml
@@ -10,6 +10,9 @@ on:
         description: Force a release even when there are release-blockers (optional)
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/static-analysis.yaml b/.github/workflows/static-analysis.yaml
index ce1c51d8..8a92d6bb 100644
--- a/.github/workflows/static-analysis.yaml
+++ b/.github/workflows/static-analysis.yaml
@@ -7,6 +7,9 @@ on:
       - master
       - release/**
 
+permissions:
+  contents: read
+
 jobs:
   phpstan:
     name: PHPStan