Tighten up the GitHub Actions workflow permissions

.github/workflows/cs.yml

@@ -13,10 +13,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   actionlint: #----------------------------------------------------------------------
     name: 'Check GHA workflows'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     steps:
       - name: Checkout code
@@ -41,6 +47,8 @@ jobs:
   phpcs: #----------------------------------------------------------------------
     name: 'PHPCS'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     steps:
       - name: Checkout code

.github/workflows/label-merge-conflicts.yml

@@ -13,10 +13,16 @@ on:
       - synchronize
       - reopened
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   check-prs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'WordPress'
+    permissions:
+      pull-requests: write # Needed to add and remove labels on the PR.
 
     name: Check PRs for merge conflicts
 

.github/workflows/lint.yml

@@ -13,9 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   lint: #----------------------------------------------------------------------
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       matrix:

.github/workflows/quicktest.yml

@@ -13,11 +13,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   #### QUICK TEST STAGE ####
   # Runs the tests against select PHP versions for pushes to arbitrary branches.
   quicktest:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       matrix:

.github/workflows/reusable-update-cacert.yml

@@ -3,11 +3,19 @@ name: Certificates
 on:
   workflow_call:
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
     name: "Check for updated certificate bundle"
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     steps:
       - name: Determine branches to use
         id: branches

.github/workflows/test.yml

@@ -14,10 +14,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   #### TEST STAGE ####
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
 
     strategy:
       # Keys:

.github/workflows/update-cacert-cron.yml

@@ -11,9 +11,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
     # Don't run the cron job on forks.
     if: ${{ github.event.repository.fork == false }}
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
 
     uses: ./.github/workflows/reusable-update-cacert.yml

.github/workflows/update-cacert.yml

@@ -24,6 +24,14 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
+
 jobs:
   certificate-check:
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     uses: ./.github/workflows/reusable-update-cacert.yml

.github/workflows/update-website.yml

@@ -21,9 +21,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  pull-requests: write
-  contents: write
+# Disable permissions for all available scopes by default.
+# Any needed permissions should be configured at the job level.
+permissions: {}
 
 jobs:
   prepare:
@@ -32,6 +32,9 @@ jobs:
     if: github.repository == 'WordPress/Requests'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # Needed to clone the repo.
+
     steps:
       # By default use the `stable` branch as the published docs should always
       # reflect the latest release.
@@ -91,6 +94,10 @@ jobs:
     if: github.repository == 'WordPress/Requests'
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: write      # Needed to push commits to a branch in the repo.
+      pull-requests: write # Needed to create a PR.
+
     steps:
       # PRs based on the "pull request" event trigger will contain changes from the
       # current `develop` branch, so should not be published as the website should