ci(assign): define permissions for auto assign workflow

Explicitely stating required permissions is considered best practice. This case was detected by Poutine, see https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md. Signed-off-by: Florian Greinacher <[email protected]>
siemens · May 3, 2024 · f0dbfee · f0dbfee
1 parent 7328ad3
commit f0dbfee
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/.github/workflows/assign.yml b/.github/workflows/assign.yml
@@ -15,8 +15,13 @@ on:
   pull_request:
     types: [opened, ready_for_review]
 
+permissions: {}
+
 jobs:
   add-reviews:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: kentaro-m/[email protected]