- Harden GitHub Actions workflows with minimum required permissions

[Copilot]

All workflows were missing explicit permissions declarations, meaning each job ran with the default broad GITHUB_TOKEN scopes. Additionally, test-bash-script.yml had a shell injection vector via direct ${{ github.head_ref }} interpolation in a run step.

Changes

Permissions (all workflows)

• Set permissions: {} at workflow level (deny-all baseline)
• Grant only the minimum required permission at job level:
  • pull-requests: read — check-pr-title.yml (API read of PR title)
  • contents: read — all other workflows (actions/checkout)

This applies to workflows in both .github/workflows/ and src/.github/workflows/.

Shell injection fix (test-bash-script.yml)

A branch name like $(malicious) or ; cmd would execute in the runner shell:

# Before — unsafe: expression expands before shell sees it
run: ./init.sh "TestApp" "TestNamespace" "${{ github.head_ref }}" ...

# After — safe: value passed via env, expanded by shell as a variable
env:
  BRANCH_NAME: ${{ github.head_ref }}
run: ./init.sh "TestApp" "TestNamespace" "$BRANCH_NAME" ...

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[mtracz]

@copilot you forgot about workflows in src/.github/workflows dir. Fix it.

[Copilot]

@copilot you forgot about workflows in src/.github/workflows dir. Fix it.

Fixed in e9c346e — applied the same permissions: {} (deny-all) at workflow level and minimum job-level permissions to all three workflows in src/.github/workflows/:

• check-pr-title.yml → pull-requests: read
• test-and-lint-js.yml → contents: read
• test-and-lint-php.yml → contents: read