From e37ff81fe8be67cc7fd4ebb6229d29e9435c60c3 Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Fri, 3 May 2024 13:36:45 +0200
Subject: [PATCH] ci(assign): define permissions for auto assign workflow

Explicitely stating required permissions is considered best practice.
This case was detected by Poutine, see
https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md.

Signed-off-by: Florian Greinacher <florian.greinacher@siemens.com>
---
 .github/workflows/assign.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
index 1ac9f7cd..9a50a158 100644
--- a/.github/workflows/assign.yml
+++ b/.github/workflows/assign.yml
@@ -15,6 +15,10 @@ on:
   pull_request:
     types: [opened, ready_for_review]
 
+permissions:
+  contents: read # to read configuration file
+  pull-requests: write # to assign PRs
+
 jobs:
   add-reviews:
     runs-on: ubuntu-latest