From 363d354f9c343e742e5954676018348e82420746 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:03:25 +0000
Subject: [PATCH 1/2] Initial plan


From d3e622089203456cc0e58ae819b16a3be49bd1a4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:04:46 +0000
Subject: [PATCH 2/2] ci: add minimum required permissions to GitHub Actions
 workflows

Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/blumilksoftware/toby/sessions/728c06b0-9cc0-4f3e-b31b-29dea69995e4
---
 .github/workflows/check-pr-title.yml          | 4 ++++
 .github/workflows/deploy-to-beta-manually.yml | 3 +++
 .github/workflows/deploy-to-prod.yml          | 3 +++
 .github/workflows/run-command-on-beta.yml     | 2 ++
 .github/workflows/test-and-lint-js.yml        | 3 +++
 .github/workflows/test-and-lint-php.yml       | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml
index ef659ac2..a315484a 100644
--- a/.github/workflows/check-pr-title.yml
+++ b/.github/workflows/check-pr-title.yml
@@ -8,6 +8,10 @@ on:
       - ready_for_review
       - reopened
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   check-pr-title:
     name: Check PR title
diff --git a/.github/workflows/deploy-to-beta-manually.yml b/.github/workflows/deploy-to-beta-manually.yml
index 2b1fa857..36f14fc7 100644
--- a/.github/workflows/deploy-to-beta-manually.yml
+++ b/.github/workflows/deploy-to-beta-manually.yml
@@ -7,6 +7,9 @@ concurrency:
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   deploy:
diff --git a/.github/workflows/deploy-to-prod.yml b/.github/workflows/deploy-to-prod.yml
index b383c8dd..cfe9c557 100644
--- a/.github/workflows/deploy-to-prod.yml
+++ b/.github/workflows/deploy-to-prod.yml
@@ -9,6 +9,9 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     environment: production
diff --git a/.github/workflows/run-command-on-beta.yml b/.github/workflows/run-command-on-beta.yml
index 1a44179a..e49e4d48 100644
--- a/.github/workflows/run-command-on-beta.yml
+++ b/.github/workflows/run-command-on-beta.yml
@@ -8,6 +8,8 @@ on:
         type: string
         required: true
 
+permissions: {}
+
 jobs:
 
   run-command:
diff --git a/.github/workflows/test-and-lint-js.yml b/.github/workflows/test-and-lint-js.yml
index 2ff180ed..6bf5830d 100644
--- a/.github/workflows/test-and-lint-js.yml
+++ b/.github/workflows/test-and-lint-js.yml
@@ -15,6 +15,9 @@ on:
       - 'package.json'
       - 'package-lock.json'
 
+permissions:
+  contents: read
+
 jobs:
   test-and-lint-js:
     name: Test & lint JS stuff
diff --git a/.github/workflows/test-and-lint-php.yml b/.github/workflows/test-and-lint-php.yml
index bc473654..2653dea0 100644
--- a/.github/workflows/test-and-lint-php.yml
+++ b/.github/workflows/test-and-lint-php.yml
@@ -17,6 +17,9 @@ on:
       - '.env.ci'
       - 'test-and-lint-php.yml'
 
+permissions:
+  contents: read
+
 jobs:
   test-and-lint-php:
     name: Test & lint PHP stuff