ci(github-actions): Add read permissions to CI workflow (#55)

SmetDenis · web-flow · commit abf61e343268 · 2025-09-27T23:14:29.000+04:00
Explicitly grant `contents: read` to the CI workflow. This is a security
best practice and ensures that actions requiring repository content
access (e.g., checkout) function correctly without relying on default
permissions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -11,6 +11,8 @@
 #
 
 name: CI
+permissions:
+    contents: read
 
 on:
   pull_request:
diff --git a/src/PHPUnit/TraitGithubActions.php b/src/PHPUnit/TraitGithubActions.php
@@ -35,8 +35,11 @@ public static function testGithubActionsWorkflow(): void
 
         // Expected
         $expected = [
-            'name' => 'CI',
-            'on'   => [
+            'name'        => 'CI',
+            'permissions' => [
+                'contents' => 'read',
+            ],
+            'on' => [
                 'pull_request' => ['branches' => ['*']],
                 'push'         => ['branches' => ['master']],
             ],

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@`
`11`	`11`	`#`
`12`	`12`
`13`	`13`	`name: CI`
	`14`	`+permissions:`
	`15`	`+ contents: read`
`14`	`16`
`15`	`17`	`on:`
`16`	`18`	`pull_request:`