feat(workflows): Add action permission monitoring to multiple workflows. (#65)

terabytesoftw · web-flow · commit 7374a85a91f4 · 2025-09-28T12:13:26.000-03:00
diff --git a/.github/workflows/codeception.yml b/.github/workflows/codeception.yml
@@ -94,6 +94,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/composer-require-checker.yml b/.github/workflows/composer-require-checker.yml
@@ -77,6 +77,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/ecs.yml b/.github/workflows/ecs.yml
@@ -77,6 +77,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/infection.yml b/.github/workflows/infection.yml
@@ -124,6 +124,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -8,9 +8,5 @@ name: linter
 jobs:
   linter:
     uses: php-forge/actions/.github/workflows/super-linter.yml@main
-    permissions:
-      checks: write
-      contents: read
-      statuses: write
     secrets:
       AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/phpstan.yml b/.github/workflows/phpstan.yml
@@ -87,6 +87,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/phpunit-database.yml b/.github/workflows/phpunit-database.yml
@@ -175,6 +175,10 @@ jobs:
           --health-retries=${{ inputs.database-health-retries }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/phpunit.yml b/.github/workflows/phpunit.yml
@@ -125,6 +125,10 @@ jobs:
         php-version: ${{ fromJson(inputs.php-version) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
 
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -96,6 +96,10 @@ jobs:
     runs-on: ${{ fromJSON(inputs.os) }}
 
     steps:
+      - name: Monitor action permissions.
+        if: runner.os != 'Windows'
+        uses: GitHubSecurityLab/actions-permissions/monitor@v1
+
       - name: Checkout.
         uses: actions/checkout@v5
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## v2.0.3 Under development
 
+- Enh #65: Add action permission monitoring to multiple workflows (@terabytesoftw)
+
 ## v2.0.2 September 25, 2025
 
 - Bug #64: Add validation input options for `super-linter.yml` actions (@terabytesoftw)
