From 514bca00c9122cf9d39c0cecf9909255ca71875a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:24:04 +0000
Subject: [PATCH] Add minimum required permissions to all GitHub Actions
 workflows and fix path bugs

Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/blumilksoftware/website/sessions/113664d0-7b90-4ce5-9695-3998f59ef20a
---
 .github/workflows/check.js.yml       | 7 +++++--
 .github/workflows/check.php.yml      | 5 ++++-
 .github/workflows/deploy-to-beta.yml | 3 +++
 .github/workflows/deploy-to-prod.yml | 3 +++
 .github/workflows/title.yml          | 3 +++
 5 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/check.js.yml b/.github/workflows/check.js.yml
index 9bc3d300..79e606d3 100644
--- a/.github/workflows/check.js.yml
+++ b/.github/workflows/check.js.yml
@@ -9,7 +9,10 @@ on:
       - '**.ts'
       - '**.vue'
       - 'package.json'
-      - 'package.lock'
+      - 'package-lock.json'
+
+permissions:
+  contents: read
 
 jobs:
   test-and-lint-js:
@@ -25,7 +28,7 @@ jobs:
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 # https://github.com/actions/cache
         with:
           path: node_modules
-          key: ${{ runner.os }}-npm-dependencies-${{ hashFiles('package.lock') }}
+          key: ${{ runner.os }}-npm-dependencies-${{ hashFiles('package-lock.json') }}
           restore-keys: ${{ runner.os }}-npm-dependencies
 
       - name: Set up node
diff --git a/.github/workflows/check.php.yml b/.github/workflows/check.php.yml
index 83a48cd9..8dc11253 100644
--- a/.github/workflows/check.php.yml
+++ b/.github/workflows/check.php.yml
@@ -10,7 +10,10 @@ on:
       - 'composer.lock'
       - 'phpunit.xml'
       - '.env.ci'
-      - 'check.php.yml'
+      - '.github/workflows/check.php.yml'
+
+permissions:
+  contents: read
 
 jobs:
   test-and-lint-php:
diff --git a/.github/workflows/deploy-to-beta.yml b/.github/workflows/deploy-to-beta.yml
index 18a5ae4e..c4fce346 100644
--- a/.github/workflows/deploy-to-beta.yml
+++ b/.github/workflows/deploy-to-beta.yml
@@ -4,6 +4,9 @@ concurrency:
   group: deploy-beta
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
 
diff --git a/.github/workflows/deploy-to-prod.yml b/.github/workflows/deploy-to-prod.yml
index b3ccbba9..dc0fc096 100644
--- a/.github/workflows/deploy-to-prod.yml
+++ b/.github/workflows/deploy-to-prod.yml
@@ -4,6 +4,9 @@ concurrency:
   group: deploy-prod
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
diff --git a/.github/workflows/title.yml b/.github/workflows/title.yml
index 2195c6d1..83b9a961 100644
--- a/.github/workflows/title.yml
+++ b/.github/workflows/title.yml
@@ -9,6 +9,9 @@ on:
       - edited
       - synchronize
 
+permissions:
+  pull-requests: read
+
 jobs:
   check-pr-title:
     name: Check the PR title