Fix/workflows

[jeffpaul]

Description of the Change

This pull request updates the permissions configuration for several GitHub Actions workflows to explicitly declare the minimum required permissions for each workflow. This improves security by restricting token access to only what is needed for each workflow to run.

Permissions configuration updates:

• Build and test workflows now explicitly request read-only access to repository contents in .github/workflows/build-test.yml, .github/workflows/eslint.yml, .github/workflows/phpcs.yml, .github/workflows/phpunit.yml, and .github/workflows/unit-tests.yml. [1] [2] [3] [4] [5]

• Next.js bundle analysis workflows now request read access to contents, actions, and write access to pull requests and issues in .github/workflows/nextjs_bundle_analysis.yml, and read access to contents plus write access to pull requests in .github/workflows/nextjs_bundle_analysis-app-router.yml. [1] [2]

Deployment and release workflows:

• Documentation and plugin release workflows now request write access to repository contents in .github/workflows/deploy-docs.yml, .github/workflows/deploy_wp_plugin_develop.yml, and .github/workflows/deploy_wp_plugin_stable.yml. [1] [2] [3]

• NPM and latest release workflows now request write access to contents and pull requests in .github/workflows/npm-release-next-version.yml and .github/workflows/release-latest-version.yml. [1] [2]

How to test the Change

Changelog Entry

n/a

Credits

Props @jeffpaul.

Checklist:

• I agree to follow this project's Code of Conduct.
• I have updated the documentation accordingly.
• I have added Critical Flows, Test Cases, and/or End-to-End Tests to cover my change.
• All new and existing tests pass.

---

Note

Low Risk
Workflow-only permission scoping change; low functional risk, with the main risk being CI/deploy jobs failing if any required permission was missed.

Overview
Adds explicit permissions blocks across GitHub Actions workflows to follow least-privilege defaults.

CI/test workflows are restricted to contents: read, while release/deploy workflows grant contents: write (and where needed pull-requests: write, plus actions: read/issues: write for bundle analysis) so they can publish artifacts and comment/update PRs.

^{Written by Cursor Bugbot for commit 6db0242. This will update automatically on new commits. Configure here.}

^{Cursor Bugbot found 1 potential issue for commit 6db0242}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
headstartwp-app-router	Ready	Preview, Comment	Feb 4, 2026 11:43pm
headstarwp	Ready	Preview, Comment	Feb 4, 2026 11:43pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6db0242

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

📦 Next.js Bundle Analysis for @10up/wp-nextjs-app

This analysis was generated by the Next.js Bundle Analysis action. 🤖

🎉 Global Bundle Size Decreased

Page	Size (compressed)
global	83.62 KB (🟢 -42.45 KB)

Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

[github-actions]

📦 Next.js Bundle Analysis for @10up/headstartwp

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Missing actions: read permission for artifact download

High Severity

The App Router bundle analysis workflow is missing the actions: read permission required by dawidd6/action-download-artifact@v6 to download artifacts from other workflow runs. The Pages Router version of this workflow correctly includes actions: read, but it was omitted here. Without this permission, the "Download base branch bundle stats" step will fail, breaking the bundle comparison feature.