Add explicit permissions and remove decorator comments from workflows

.github/workflows/code-quality.yml

@@ -8,6 +8,9 @@ on:
       - main
       - master
 
+permissions:
+  contents: read
+
 jobs:
   code-quality:
     uses: wp-cli/.github/.github/workflows/reusable-code-quality.yml@main

.github/workflows/copilot-setup-steps.yml

@@ -17,17 +17,17 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Check existence of composer.json file
         id: check_composer_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "composer.json"
 
       - name: Set up PHP environment
         if: steps.check_composer_file.outputs.files_exists == 'true'
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
         with:
           php-version: 'latest'
           ini-values: zend.assertions=1, error_reporting=-1, display_errors=On
@@ -38,7 +38,7 @@ jobs:
 
       - name: Install Composer dependencies & cache dependencies
         if: steps.check_composer_file.outputs.files_exists == 'true'
-        uses: ramsey/composer-install@v3
+        uses: ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520 # v3
         env:
           COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }}
         with:

.github/workflows/issue-triage.yml

@@ -13,6 +13,12 @@ name: Issue and PR Triage
         required: false
         type: string
 
+permissions:
+  issues: write
+  pull-requests: write
+  actions: write
+  contents: read
+
 jobs:
   issue-triage:
     uses: wp-cli/.github/.github/workflows/reusable-issue-triage.yml@main

.github/workflows/regenerate-readme.yml

@@ -10,6 +10,10 @@ on:
       - "features/**"
       - "README.md"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   regenerate-readme:
     uses: wp-cli/.github/.github/workflows/reusable-regenerate-readme.yml@main

.github/workflows/reusable-check-branch-alias.yml

@@ -27,20 +27,20 @@ jobs:
 
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0 # Fetch all history for all tags
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
         with:
           php-version: 'latest'
           tools: composer
 
       - name: Check existence of composer.json file
         id: check_composer_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "composer.json"
 
@@ -126,7 +126,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.check_alias.outputs.needs_update == 'true'
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           base: ${{ github.event.repository.default_branch }}

.github/workflows/reusable-code-quality.yml

@@ -9,6 +9,9 @@ on:
         required: false
         default: ''
 
+permissions:
+  contents: read
+
 # Cancels all previous workflow runs for the same branch that have not yet completed.
 concurrency:
   # The concurrency group contains the workflow name and the branch name.
@@ -17,12 +20,12 @@ concurrency:
 
 jobs:
 
-  actionlint: #-----------------------------------------------------------------------
+  actionlint:
     name: Lint GitHub Actions workflows
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Add problem matcher
         run: |
@@ -34,22 +37,22 @@ jobs:
         with:
           args: -color -shellcheck=
 
-  lint: #-----------------------------------------------------------------------
+  lint:
     name: Lint PHP files
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Check existence of composer.json file
         id: check_composer_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "composer.json"
 
       - name: Set up PHP environment
         if: steps.check_composer_file.outputs.files_exists == 'true'
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
         with:
           php-version: 'latest'
           ini-values: zend.assertions=1, error_reporting=-1, display_errors=On
@@ -59,7 +62,7 @@ jobs:
 
       - name: Install Composer dependencies & cache dependencies
         if: steps.check_composer_file.outputs.files_exists == 'true'
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         env:
           COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }}
         with:
@@ -68,7 +71,7 @@ jobs:
 
       - name: Check existence of vendor/bin/parallel-lint file
         id: check_linter_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "vendor/bin/parallel-lint"
 
@@ -95,56 +98,56 @@ jobs:
         env:
           ADDITIONAL_EXCLUDES: ${{ inputs.parallel-lint-excludes }}
 
-  lint-gherkin: #----------------------------------------------------------------
+  lint-gherkin:
     name: Lint Gherkin Feature files
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Setup node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
 
       - name: Download lint rules
         run: curl https://raw.githubusercontent.com/wp-cli/.github/refs/heads/main/.gherkin-lintrc -o $RUNNER_TEMP/.gherkin-lintrc
 
       - name: Run linter
         run: npx --yes gherkin-lint -c $RUNNER_TEMP/.gherkin-lintrc
 
-  lint-spellcheck: #----------------------------------------------------------------
+  lint-spellcheck:
     name: Spell check
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Check existence of config file
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: ".typos.toml"
 
       - name: Check spelling
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: crate-ci/[email protected]
+        uses: crate-ci/typos@65120634e79d8374d1aa2f27e54baa0c364fff5a # v1.42.1
 
-  phpcs: #----------------------------------------------------------------------
+  phpcs:
     name: PHPCS
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Check existence of composer.json & phpcs.xml.dist files
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "composer.json, phpcs.xml.dist"
 
       - name: Set up PHP environment
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
         with:
           php-version: 'latest'
           tools: cs2pr
@@ -153,7 +156,7 @@ jobs:
 
       - name: Install Composer dependencies & cache dependencies
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         env:
           COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }}
         with:
@@ -162,7 +165,7 @@ jobs:
 
       - name: Check existence of vendor/bin/phpcs file
         id: check_phpcs_binary_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "vendor/bin/phpcs"
 
@@ -177,23 +180,23 @@ jobs:
             cs2pr /tmp/phpcs-checkstyle-report.xml
           fi
 
-  phpstan: #----------------------------------------------------------------------
+  phpstan:
     name: PHPStan
     runs-on: ubuntu-latest
 
     steps:
       - name: Check out source code
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Check existence of composer.json & phpcs.xml.dist files
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "composer.json"
 
       - name: Set up PHP environment
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@44454db4f0199b8b9685a5d763dc37cbf79108e1 # v2
         with:
           php-version: 'latest'
           tools: cs2pr
@@ -202,7 +205,7 @@ jobs:
 
       - name: Install Composer dependencies & cache dependencies
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: "ramsey/composer-install@v3"
+        uses: "ramsey/composer-install@3cf229dc2919194e9e36783941438d17239e8520" # v3
         env:
           COMPOSER_ROOT_VERSION: dev-${{ github.event.repository.default_branch }}
         with:
@@ -211,7 +214,7 @@ jobs:
 
       - name: Check existence of vendor/bin/phpstan file
         id: check_phpstan_binary_file
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "vendor/bin/phpstan"
 

.github/workflows/reusable-issue-triage.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - name: Get available labels
         id: get-labels
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const labels = await github.rest.issues.listLabelsForRepo({
@@ -53,7 +53,7 @@ jobs:
 
       - name: Analyze with AI
         id: ai-triage
-        uses: actions/ai-inference@v2
+        uses: actions/ai-inference@a6101c89c6feaecc585efdd8d461f18bb7896f20 # v2
         with:
           prompt: |
             ## Role
@@ -105,7 +105,7 @@ jobs:
 
       - name: Apply labels
         if: steps.ai-triage.outputs.response != ''
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           AI_RESPONSE: ${{ steps.ai-triage.outputs.response }}
           AVAILABLE_LABELS: ${{ env.AVAILABLE_LABELS }}
@@ -174,7 +174,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Find and dispatch triage for unlabeled items
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             // Get all open issues (includes PRs)
@@ -244,7 +244,7 @@ jobs:
     steps:
       - name: Get available labels
         id: get-labels
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const labels = await github.rest.issues.listLabelsForRepo({
@@ -257,7 +257,7 @@ jobs:
 
       - name: Get item details
         id: get-item
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const itemNumber = parseInt('${{ inputs.issue_number }}');
@@ -295,7 +295,7 @@ jobs:
 
       - name: Analyze with AI
         id: ai-triage
-        uses: actions/ai-inference@v2
+        uses: actions/ai-inference@a6101c89c6feaecc585efdd8d461f18bb7896f20 # v2
         with:
           prompt: |
             ## Role
@@ -347,7 +347,7 @@ jobs:
 
       - name: Apply labels
         if: steps.ai-triage.outputs.response != ''
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           AI_RESPONSE: ${{ steps.ai-triage.outputs.response }}
           ITEM_NUMBER: ${{ inputs.issue_number }}