build: harden GitHub workflow permissions

Grant pull-requests write permission to the labeler workflow and read-only to everything else. Signed-off-by: Alex Low <aleksandrosansan@gmail.com> [ wrap to 80 columns and fix wrong author as requested by author itself ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> (cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)
author: Alex Low <aleksandrosansan@gmail.com> 2022-09-19 12:20:37 +0200
committer: Josef Schlehofer <pepe.schlehofer@gmail.com> 2022-12-04 16:26:59 +0100
commit: 3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a (patch)
tree: c45ef176726c446b37be92f042aeba05943b057d /.github/workflows/labeler.yml
parent: 8496275f83fda227f9b9c8d706ca18d1d3733c77 (diff)
download: upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.tar.gz
upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.tar.bz2
upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89..420617809b 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:
author	Alex Low <aleksandrosansan@gmail.com>	2022-09-19 12:20:37 +0200
committer	Josef Schlehofer <pepe.schlehofer@gmail.com>	2022-12-04 16:26:59 +0100
commit	3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a (patch)
tree	c45ef176726c446b37be92f042aeba05943b057d /.github/workflows/labeler.yml
parent	8496275f83fda227f9b9c8d706ca18d1d3733c77 (diff)
download	upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.tar.gz upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.tar.bz2 upstream-3a9f927c2f74bce2f8b6c1fe654db3ef2cabae0a.zip