From 5e9ec2e918ed3576e8b4422db23d5d588f10e254 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:32:19 +0000
Subject: [PATCH] Add minimum permissions and pin setup-php action to commit
 SHA

Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/blumilksoftware/blt/sessions/bdc08bd7-226a-47bc-8beb-33742983cac8
---
 .github/workflows/check-pr-title.yml    | 3 +++
 .github/workflows/test-and-lint-php.yml | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml
index 9d6afcf..77f1afc 100644
--- a/.github/workflows/check-pr-title.yml
+++ b/.github/workflows/check-pr-title.yml
@@ -8,6 +8,9 @@ on:
       - ready_for_review
       - reopened
 
+permissions:
+  pull-requests: read
+
 jobs:
   check-pr-title:
     name: Check PR title
diff --git a/.github/workflows/test-and-lint-php.yml b/.github/workflows/test-and-lint-php.yml
index 7156411..4978953 100644
--- a/.github/workflows/test-and-lint-php.yml
+++ b/.github/workflows/test-and-lint-php.yml
@@ -9,6 +9,8 @@ on:
       - 'composer.json'
       - 'composer.lock'
 
+permissions:
+  contents: read
 
 jobs:
   test-and-lint-php:
@@ -28,7 +30,7 @@ jobs:
           restore-keys: ${{ runner.os }}-composer-dependencies
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@2.30.0 # https://github.com/shivammathur/setup-php
+        uses: shivammathur/setup-php@a4e22b60bbb9c1021113f2860347b0759f66fe5d # v2.30.0
         with:
           php-version: 8.3
           coverage: none