From 148bd3bf471cf9832df4fb7044302946abd5a5a3 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 22 Feb 2026 18:50:18 +0000
Subject: [PATCH] Add top-level permissions block to all GitHub Actions
 workflows

Apply the principle of least privilege to harden CI/CD security:
- build.yml: contents: read (publish_phar already overrides with write)
- update-contributors.yml: contents: write (needs to commit changes)
- architectural-rules.yml: contents: read
- cs-fixer.yml: contents: read

https://claude.ai/code/session_01K1TiMQ8Xb3v2TioBaGgdaE
---
 .github/workflows/architectural-rules.yml | 3 +++
 .github/workflows/build.yml               | 3 +++
 .github/workflows/cs-fixer.yml            | 3 +++
 .github/workflows/update-contributors.yml | 4 ++++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/architectural-rules.yml b/.github/workflows/architectural-rules.yml
index 833229e0..053e024a 100644
--- a/.github/workflows/architectural-rules.yml
+++ b/.github/workflows/architectural-rules.yml
@@ -3,6 +3,9 @@ name: Architectural test
 on:
     push:
 
+permissions:
+  contents: read
+
 jobs:
     phparkitect:
         name: PHPArkitect
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 285dcbfd..dea69b46 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,6 +7,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: "ubuntu-22.04"
diff --git a/.github/workflows/cs-fixer.yml b/.github/workflows/cs-fixer.yml
index cd8380a8..8e042b9c 100644
--- a/.github/workflows/cs-fixer.yml
+++ b/.github/workflows/cs-fixer.yml
@@ -3,6 +3,9 @@ name: PHP CS Fixer
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   cs-fixer:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/update-contributors.yml b/.github/workflows/update-contributors.yml
index d505e720..5b48eedf 100644
--- a/.github/workflows/update-contributors.yml
+++ b/.github/workflows/update-contributors.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: "0 12 * * 0"
   workflow_dispatch:
+
+permissions:
+  contents: write
+
 jobs:
   main:
     runs-on: ubuntu-latest