From 1df0ac6fe013af0912e3bb774096dffb8702d639 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:28:38 +0000
Subject: [PATCH 1/2] Initial plan


From ad68c016f3ab49384e2e971ab03d4c647ce8112c Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Mar 2026 13:30:47 +0000
Subject: [PATCH 2/2] ci: add minimum required permissions to GitHub Actions
 workflows

Co-authored-by: mtracz <22484267+mtracz@users.noreply.github.com>
Agent-Logs-Url: https://github.com/blumilksoftware/lmt/sessions/2cdd6ca5-483e-4170-bea5-508f673b41f0
---
 .github/workflows/check-php.yml            | 3 +++
 .github/workflows/deploy-to-dev.yml        | 3 +++
 .github/workflows/deploy-to-production.yml | 3 +++
 .github/workflows/title.yml                | 4 ++++
 4 files changed, 13 insertions(+)

diff --git a/.github/workflows/check-php.yml b/.github/workflows/check-php.yml
index 4603c26a..799f47f8 100644
--- a/.github/workflows/check-php.yml
+++ b/.github/workflows/check-php.yml
@@ -11,6 +11,9 @@ on:
       - 'phpunit.xml'
       - 'env.ci'
 
+permissions:
+  contents: read
+
 jobs:
   test-and-lint-php:
     name: Test & lint PHP codebase
diff --git a/.github/workflows/deploy-to-dev.yml b/.github/workflows/deploy-to-dev.yml
index 9acba3d4..e126ff50 100644
--- a/.github/workflows/deploy-to-dev.yml
+++ b/.github/workflows/deploy-to-dev.yml
@@ -7,6 +7,9 @@ concurrency:
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     environment: dev
diff --git a/.github/workflows/deploy-to-production.yml b/.github/workflows/deploy-to-production.yml
index 5ee9d156..1825cc34 100644
--- a/.github/workflows/deploy-to-production.yml
+++ b/.github/workflows/deploy-to-production.yml
@@ -11,6 +11,9 @@ on:
         description: "Tag to deploy"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
 
   deploy:
diff --git a/.github/workflows/title.yml b/.github/workflows/title.yml
index 788b29ac..6b2f647e 100644
--- a/.github/workflows/title.yml
+++ b/.github/workflows/title.yml
@@ -9,6 +9,10 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   check-pr-title:
     name: Check the PR title