actions: Set permissions for various smaller workflows (#46093)

Mostly through static analysis. A few made use of docs for other
actions.

See inline comments for the main notes on what things need.
Other notes:

* `.github/actions/turnstile` - It has docs, may as well mention it
  (theoretically) needing `actions: read`.
* coverage-check: Already had some set, but it turns out it doesn't need
  most of them anymore. It uses the app token for almost everything
  instead of the default Actions token.
* update-phan-stubs: This one also had permissions set that it doesn't
  need. It even uses a matticbot token for the checkout, so none needed
  at all.

Also the following already had permissions that seem correct:

* build-docker
* build-docker-monorepo
* post-build

Author: anomiex

.github/actions/turnstile/README.md

@@ -52,6 +52,10 @@ jobs:
 
 If you want to limit the maximum amount of time spent waiting, use GitHub's [timeout-minutes](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepstimeout-minutes) on the step. If you want to continue if the timeout expires, use GitHub's [continue-on-error](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) on the step.
 
+### Permissions
+
+When using `github.token`, this may need the `actions: read` workflow permission.
+
 ## How?
 
 Using the current run's run ID, it first hits GitHub's [workflow run API](https://docs.github.com/en/rest/actions/workflow-runs#get-a-workflow-run) to fetch the workflow ID and head branch.

.github/workflows/autotagger.yml

@@ -7,6 +7,13 @@ on:
       - prerelease
       - '*/branch-*'
 
+permissions:
+  # ./.github/actions/turnstile
+  actions: read
+  # read: actions/checkout
+  # write: `git push`
+  contents: write
+
 jobs:
   tag:
     name: Tag

.github/workflows/check-actions-rate-limit.yml

@@ -6,6 +6,7 @@ jobs:
   check:
     name: Check Actions rate limit
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - name: Check rate limit
         env:

.github/workflows/coverage-check.yml

@@ -14,9 +14,9 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  checks: read
-  pull-requests: write
-  statuses: write
+  # actions/checkout
+  contents: read
+  # Everything else uses an app token, so no need for permissions.
 
 jobs:
   code-coverage-label:

.github/workflows/delete-mirror-branches.yml

@@ -2,6 +2,11 @@ name: Delete mirror branches
 on:
   delete:
 
+permissions:
+  # actions/checkout
+  contents: read
+  # Deletion step uses secrets.API_TOKEN_GITHUB, so no need for permissions.
+
 jobs:
   delete:
     name: Delete `${{ github.event.ref }}`

.github/workflows/phpcompatibility-dev.yml

@@ -10,6 +10,10 @@ concurrency:
   group: phpcompatibility-dev-${{ github.event_name }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  # actions/checkout
+  contents: read
+
 env:
   COMPOSER_ROOT_VERSION: "dev-trunk"
 
@@ -18,6 +22,11 @@ jobs:
     name: detect changed files
     runs-on: ubuntu-latest
     timeout-minutes: 1  # 2025-11-06: Successful runs seem to take a few seconds.
+    permissions:
+      # actions/checkout
+      contents: read
+      # dorny/paths-filter
+      pull-requests: read
     outputs:
       php: ${{ steps.filter.outputs.php }}
       misc: ${{ steps.filter.outputs.misc }}

.github/workflows/pr-is-up-to-date.yml

@@ -8,6 +8,11 @@ on:
       - pr-update-to
       - pr-update-to-projects/**
 
+permissions:
+  # ./.github/actions/turnstile
+  actions: read
+  # Note everything else, including actions/checkout, is using secrets.API_TOKEN_GITHUB, so no need for permissions.
+
 jobs:
   check:
     name: Check

.github/workflows/renovate.yml

@@ -23,6 +23,11 @@ on:
 concurrency:
   group: renovate-${{ github.ref }}
 
+permissions:
+  # actions/checkout
+  contents: read
+  # Note renovatebot/github-action is passed secrets.RENOVATE_TOKEN, so no need for permissions.
+
 jobs:
   renovate:
     name: Renovate

.github/workflows/slack-branch-existence-notification.yml

@@ -3,6 +3,10 @@ on:
   create:
   delete:
 
+permissions:
+  # actions/checkout
+  contents: read
+
 jobs:
   notify:
     name: Notify

.github/workflows/slack-workflow-failed.yml

@@ -17,6 +17,10 @@ on:
       - Update Phan stubs
     branches: [ 'trunk', 'prerelease', '*/branch-*' ]
 
+permissions:
+  # actions/checkout
+  contents: read
+
 jobs:
   notify:
     name: Notify failure