Merge pull request #3272 from sashashura/patch-2

GitHub Workflows security hardening

.github/workflows/build-deploy-docs.yml

@@ -8,8 +8,12 @@ on:
       - '.github/workflows/build-deploy-docs.yml'
       - 'DOCUMENTATION/**'
 
+permissions: {}
 jobs:
   build-deploy-docs:
+    permissions:
+      contents: write # to push pages branch (peaceiris/actions-gh-pages)
+
     if: github.repository == 'laradock/laradock'
     runs-on: ubuntu-20.04
     concurrency:

.github/workflows/main-ci.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build-php:
     # Don't trigger on schedule event when in a fork