Disable permissions for all available scopes by default.

Author: johnbillion

.github/workflows/reusable-coding-standards-javascript.yml

@@ -9,6 +9,10 @@ on:
 env:
   PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the JavaScript coding standards checks.
   #

.github/workflows/reusable-coding-standards-php.yml

@@ -17,6 +17,10 @@ on:
         type: 'boolean'
         default: false
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the PHP coding standards checks.
   #

.github/workflows/reusable-end-to-end-tests.yml

@@ -33,6 +33,10 @@ env:
   LOCAL_DIR: build
   LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the end-to-end test suite.
   #

.github/workflows/reusable-javascript-tests.yml

@@ -6,6 +6,10 @@ name: JavaScript tests
 on:
   workflow_call:
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the QUnit test suite.
   #

.github/workflows/reusable-performance.yml

@@ -54,6 +54,10 @@ env:
   LOCAL_PHP_MEMCACHED: ${{ inputs.memcached }}
   LOCAL_PHP: ${{ inputs.php-version }}${{ 'latest' != inputs.php-version && '-fpm' || '' }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Performs the following steps:
   # - Configure environment variables.

.github/workflows/reusable-php-compatibility.yml

@@ -12,6 +12,10 @@ on:
         type: 'string'
         default: 'latest'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs PHP compatibility tests.
   #

.github/workflows/reusable-phpunit-tests-v1.yml

@@ -58,6 +58,10 @@ env:
   PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
   SLOW_TESTS: 'external-http,media'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the PHPUnit tests for WordPress.
   #

.github/workflows/reusable-phpunit-tests-v2.yml

@@ -63,6 +63,10 @@ env:
   PHPUNIT_SCRIPT: php
   SLOW_TESTS: 'external-http,media'
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the PHPUnit tests for WordPress.
   #

.github/workflows/reusable-phpunit-tests-v3.yml

@@ -82,6 +82,10 @@ env:
   PHPUNIT_CONFIG: ${{ inputs.phpunit-config }}
   PUPPETEER_SKIP_DOWNLOAD: ${{ true }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Runs the PHPUnit tests for WordPress.
   #

.github/workflows/reusable-support-json-reader-v1.yml

@@ -26,6 +26,10 @@ on:
         description: "The MySQL versions to test for the given wp-version"
         value: ${{ jobs.mysql-versions.outputs.versions }}
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   # Determines the major version of WordPress being tested.
   #
@@ -36,6 +40,8 @@ jobs:
   # - Returns the major WordPress version as an output based on the value passed to the wp-version input.
   major-wp-version:
     name: Determine major WordPress version
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     timeout-minutes: 5
@@ -70,6 +76,8 @@ jobs:
   #   .version-support-php.json file and returning the values in that version's index.
   php-versions:
     name: Determine PHP versions
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     needs: [ major-wp-version ]
@@ -105,6 +113,8 @@ jobs:
   #   .version-support-mysql.json file and returning the values in that version's index.
   mysql-versions:
     name: Determine MySQL versions
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'WordPress/wordpress-develop' || github.event_name == 'pull_request' }}
     needs: [ major-wp-version ]