From 76a00b40bb6f31e230d8eb8abf29041cd4c8285b Mon Sep 17 00:00:00 2001
From: Dan Yeaw <dan@yeaw.me>
Date: Mon, 2 May 2022 21:23:50 -0400
Subject: [PATCH] Update permissions based on https://app.stepsecurity.io
 analysis.

---
 .github/workflows/pr-labeler.yml      | 5 ++++-
 .github/workflows/release-drafter.yml | 7 +++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index b31c2e8..74d0d09 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -3,10 +3,13 @@ on:
   pull_request_target:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   pr-labeler:
     permissions:
-      issues: write
+      pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps:
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index b0023f2..22ce20d 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,11 +4,14 @@ on:
   push:
     branches: main
 
+permissions:
+  contents: read
+
 jobs:
   update-release-draft:
     permissions:
-      contents: write
-      pull-requests: read
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     if: "!contains(github.event.head_commit.message, 'skip ci')"
     steps: