From 3b866c91859995fcbe4159b4fac3348ca11b006a Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 4 Feb 2023 22:29:31 +0100
Subject: [PATCH] GitHub Workflows security hardening (#1763)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/continuous-integration.yml | 3 +++
 .github/workflows/lint.yml                   | 3 +++
 .github/workflows/phpstan.yml                | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index cf50545a..efa84bda 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   tests:
     name: "CI (PHP ${{ matrix.php-version }}, ${{ matrix.dependencies }} deps)"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 9e20a03e..a7482ace 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -4,6 +4,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   tests:
     name: "Lint"
diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml
index 434324ce..fcf5007e 100644
--- a/.github/workflows/phpstan.yml
+++ b/.github/workflows/phpstan.yml
@@ -7,6 +7,9 @@ on:
 env:
   COMPOSER_FLAGS: "--ansi --no-interaction --no-progress --prefer-dist"
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   tests:
     name: "PHPStan"