Scope down GitHub Token Permissions (#7640)

AdnaneKhan · web-flow · commit 3777bfa3dadc · 2025-10-21T12:22:49.000+01:00
* Scope down GitHub token permissions for writeme.yml, yaml-lint.yml, lint-php.yml, lint-ruby.yml, lint-kotlin.yml, and lint-javascript.yml
diff --git a/.github/workflows/lint-javascript.yml b/.github/workflows/lint-javascript.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint Javascript
diff --git a/.github/workflows/lint-kotlin.yml b/.github/workflows/lint-kotlin.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
   pull_request:
 
+
+permissions:
+  contents: read
+
 jobs:
   ktlint:
     name: Lint Kotlin
diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml
@@ -8,6 +8,10 @@ on:  # yamllint disable-line rule:truthy
       - ".github/linters/phpcs.xml"
       - ".github/workflows/php-lint.yml"
 
+
+permissions:
+  contents: read
+
 jobs:
   phpcs:
     name: "PHP Linter"
diff --git a/.github/workflows/lint-ruby.yml b/.github/workflows/lint-ruby.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     name: RuboCop
diff --git a/.github/workflows/writeme.yml b/.github/workflows/writeme.yml
@@ -11,6 +11,10 @@ on:  # yamllint disable-line rule:truthy
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml
@@ -4,6 +4,10 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
   workflow_dispatch:
 
+
+permissions:
+  contents: read
+
 jobs:
   yamllint:
     name: Lint Yaml
