build: harden GitHub workflow permissions

Grant pull-requests write permission to the labeler workflow and read-only to everything else. Signed-off-by: Alex Low <aleksandrosansan@gmail.com> [ wrap to 80 columns and fix wrong author as requested by author itself ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
author: Alex Low <aleksandrosansan@gmail.com> 2022-09-19 12:20:37 +0200
committer: Christian Marangi <ansuelsmth@gmail.com> 2022-09-19 15:02:27 +0200
commit: 715259940776843d8799bc39de8eb50eb764189b (patch)
tree: c1335df0ea5bb357ac2c91ab90157873acff8686 /.github/workflows/labeler.yml
parent: 412fcf3d4400f84551f3ead0514834c62d94a251 (diff)
download: upstream-715259940776843d8799bc39de8eb50eb764189b.tar.gz
upstream-715259940776843d8799bc39de8eb50eb764189b.tar.bz2
upstream-715259940776843d8799bc39de8eb50eb764189b.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89..420617809b 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:
author	Alex Low <aleksandrosansan@gmail.com>	2022-09-19 12:20:37 +0200
committer	Christian Marangi <ansuelsmth@gmail.com>	2022-09-19 15:02:27 +0200
commit	715259940776843d8799bc39de8eb50eb764189b (patch)
tree	c1335df0ea5bb357ac2c91ab90157873acff8686 /.github/workflows/labeler.yml
parent	412fcf3d4400f84551f3ead0514834c62d94a251 (diff)
download	upstream-715259940776843d8799bc39de8eb50eb764189b.tar.gz upstream-715259940776843d8799bc39de8eb50eb764189b.tar.bz2 upstream-715259940776843d8799bc39de8eb50eb764189b.zip