Explicitly set GH_TOKEN permissions #93

	name: Flowzone

	on:
	pull_request:
	types: [opened, synchronize, closed]
	branches: [main, master]
	# allow external contributions to use secrets within trusted code
	pull_request_target:
	types: [opened, synchronize, closed]
	branches: [main, master]

	# Base permissions required by Flowzone
	# https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
	# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
	permissions:
	actions: none
	attestations: none
	checks: none
	contents: read
	deployments: none
	id-token: none
	issues: none
	discussions: none
	pages: none
	pull-requests: none
	repository-projects: none
	security-events: none
	statuses: none

	# Additional permissions needed by this repo, such as:
	packages: write # Allow Flowzone to publish to ghcr.io

	jobs:
	flowzone:
	name: Flowzone
	uses: product-os/flowzone/.github/workflows/flowzone.yml@master
	# prevent duplicate workflow executions for pull_request and pull_request_target
	if: \|
	(
	github.event.pull_request.head.repo.full_name == github.repository &&
	github.event_name == 'pull_request'
	) \|\| (
	github.event.pull_request.head.repo.full_name != github.repository &&
	github.event_name == 'pull_request_target'
	)
	secrets: inherit
	with:
	rust_toolchain: stable
	cargo_targets: \|
	aarch64-unknown-linux-musl,
	x86_64-unknown-linux-musl
	docker_images: \|
	ghcr.io/balena-os/mock-systemd-bus

Provide feedback