From 4bd2221706153640414ecc0188845d59700175e7 Mon Sep 17 00:00:00 2001
From: SmetDenis <smet.denis@gmail.com>
Date: Sat, 27 Sep 2025 23:13:17 +0400
Subject: [PATCH] ci(github-actions): Add read permissions to CI workflow

Explicitly grant 'contents: read' to the CI workflow. This is a security best practice and ensures that actions requiring repository content access (e.g., checkout) function correctly without relying on default permissions.
---
 .github/workflows/main.yml         | 2 ++
 src/PHPUnit/TraitGithubActions.php | 7 +++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e8bf0b5..8a45da8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -11,6 +11,8 @@
 #
 
 name: CI
+permissions:
+    contents: read
 
 on:
   pull_request:
diff --git a/src/PHPUnit/TraitGithubActions.php b/src/PHPUnit/TraitGithubActions.php
index 47918b3..6a86c97 100644
--- a/src/PHPUnit/TraitGithubActions.php
+++ b/src/PHPUnit/TraitGithubActions.php
@@ -35,8 +35,11 @@ public static function testGithubActionsWorkflow(): void
 
         // Expected
         $expected = [
-            'name' => 'CI',
-            'on'   => [
+            'name'        => 'CI',
+            'permissions' => [
+                'contents' => 'read',
+            ],
+            'on' => [
                 'pull_request' => ['branches' => ['*']],
                 'push'         => ['branches' => ['master']],
             ],