Update ci.yml.

Author: kagg-design

.github/workflows/ci.yml

@@ -1,5 +1,11 @@
 name: hCaptcha CI
 on: [ push, pull_request ]
+
+# 1. SECURITY: Default to read-only permissions for the workflow
+permissions:
+  actions: read
+  contents: read
+
 concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
@@ -35,10 +41,8 @@ jobs:
         with:
           path: ${{ env.wp-plugin-directory }}
 
-      - name: Update changelog
-        if: ${{ matrix.php-version == '8.4' }}
-        working-directory: ${{ env.wp-plugin-directory }}
-        run: .github/scripts/update-changelog.sh
+      # MOVED: The "Update changelog" step has been moved to the specific job below
+      # to prevent giving 'contents: write' permissions to this testing job.
 
       - name: Setup PHP
         uses: hCaptcha/setup-php@42a9487ddd45db247decea2acf7de871a8178226
@@ -115,3 +119,30 @@ jobs:
         if: ${{ matrix.php-version == '8.4' }}
         working-directory: ${{ env.wp-plugin-directory }}
         run: yarn jest
+
+  update_changelog:
+    name: Update Changelog
+    runs-on: ubuntu-latest
+
+    # 2. SECURITY: Only run on PUSH, never on Pull Requests
+    if: github.event_name == 'push'
+    needs: cs_and_tests
+
+    # 3. SECURITY: Grant write permission ONLY to this job
+    permissions:
+      contents: write
+
+    env:
+      wp-plugin-directory: wordpress/wp-content/plugins/hcaptcha-wordpress-plugin
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: ${{ env.wp-plugin-directory }}
+          # Check out the branch ref to ensure we can push back to it
+          ref: ${{ github.ref }}
+
+      - name: Update changelog
+        working-directory: ${{ env.wp-plugin-directory }}
+        run: .github/scripts/update-changelog.sh