Added permissions to github actions

2025-12-06 02:59:29 +00:00 · 2025-08-30 22:15:09 +02:00 · 2025-08-30 22:15:09 +02:00 · 5238be1460
commit 5238be1460
parent 80482f7294
5 changed files with 22 additions and 7 deletions
--- a/.github/workflows/assets_artifact_build.yml
+++ b/.github/workflows/assets_artifact_build.yml
@ -1,5 +1,8 @@
 name: Build assets artifact

+permissions:
+    contents: read
+
 on:
  push:
    branches:
--- a/.github/workflows/docker_build.yml
+++ b/.github/workflows/docker_build.yml
@ -1,5 +1,8 @@
 name: Docker Image Build

+permissions:
+    contents: read
+
 on:
  #schedule:
  #  - cron: '0 10 * * *' # everyday at 10am
@ -73,4 +76,4 @@ jobs:
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=max
--- a/.github/workflows/docker_frankenphp.yml
+++ b/.github/workflows/docker_frankenphp.yml
@ -1,5 +1,8 @@
 name: Docker Image Build (FrankenPHP)

+permissions:
+    contents: read
+
 on:
  #schedule:
  #  - cron: '0 10 * * *' # everyday at 10am
@ -74,4 +77,4 @@ jobs:
          tags: ${{ steps.docker_meta.outputs.tags }}
          labels: ${{ steps.docker_meta.outputs.labels }}
          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=max
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@ -1,5 +1,8 @@
 name: Static analysis

+permissions:
+    contents: read
+
 on:
  push:
    branches:
@ -30,20 +33,20 @@ jobs:
      id: composer-cache
      run: |
        echo "::set-output name=dir::$(composer config cache-files-dir)"
-    
+
    - uses: actions/cache@v4
      with:
        path: ${{ steps.composer-cache.outputs.dir }}
        key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
        restore-keys: |
-          ${{ runner.os }}-composer-  
+          ${{ runner.os }}-composer-

    - name: Install dependencies
      run: composer install --prefer-dist --no-progress

    - name: Lint config files
      run: ./bin/console lint:yaml config --parse-tags
-    
+
    - name: Lint twig templates
      run: ./bin/console lint:twig templates --env=prod

@ -53,13 +56,13 @@ jobs:

    - name: Check dependencies for security
      uses: symfonycorp/security-checker-action@v5
-    
+
    - name: Check doctrine mapping
      run: ./bin/console doctrine:schema:validate --skip-sync -vvv --no-interaction

    # Use the -d option to raise the max nesting level
    - name: Generate dev container
      run: php -d xdebug.max_nesting_level=1000 ./bin/console cache:clear --env dev
-    
+
    - name: Run PHPstan
      run: composer phpstan
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -1,5 +1,8 @@
 name: PHPUnit Tests

+permissions:
+    contents: read
+
 on:
  push:
    branches: