From fe565c283dfe2423e7487d5890a34494f7a182fc Mon Sep 17 00:00:00 2001 From: Florian Greinacher Date: Fri, 3 May 2024 14:26:52 +0200 Subject: [PATCH] ci: define permissions for contributing comment workflow Explicitely stating required permissions is considered best practice. This case was detected by Poutine, see https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md. Signed-off-by: Florian Greinacher --- .github/workflows/contributing.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/contributing.yml b/.github/workflows/contributing.yml index a5164fb82..42c6f9127 100644 --- a/.github/workflows/contributing.yml +++ b/.github/workflows/contributing.yml @@ -7,6 +7,10 @@ on: types: - opened +permissions: + contents: read # for reading contributing file + issues: write # for posting PR comment + jobs: comment: runs-on: ubuntu-latest