From 50176d76626b3a52cbb40a3a3de9a7a62b2343cd Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Tue, 31 Mar 2026 09:36:34 +0200
Subject: [PATCH] github: workflow: try to set permissions explicitly

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
---
 .github/workflows/label-automation.yml         | 5 +++++
 .github/workflows/pr-validation.yml            | 5 +++++
 .github/workflows/reusable-label-commenter.yml | 4 ++++
 .github/workflows/reusable-sob-validator.yml   | 4 ++++
 4 files changed, 18 insertions(+)

diff --git a/.github/workflows/label-automation.yml b/.github/workflows/label-automation.yml
index d354176..2a77d4c 100644
--- a/.github/workflows/label-automation.yml
+++ b/.github/workflows/label-automation.yml
@@ -11,6 +11,11 @@ on:
   pull_request_target:
     types: [labeled, unlabeled]
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   handle-label:
     uses: ./.github/workflows/reusable-label-commenter.yml
diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
index d862b78..6651653 100644
--- a/.github/workflows/pr-validation.yml
+++ b/.github/workflows/pr-validation.yml
@@ -13,6 +13,11 @@ on:
         required: true
         type: number
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   validate-commits:
     uses: ./.github/workflows/reusable-sob-validator.yml
diff --git a/.github/workflows/reusable-label-commenter.yml b/.github/workflows/reusable-label-commenter.yml
index 40f2ff1..296e408 100644
--- a/.github/workflows/reusable-label-commenter.yml
+++ b/.github/workflows/reusable-label-commenter.yml
@@ -16,6 +16,10 @@ on:
 jobs:
   add-label-comment:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/reusable-sob-validator.yml b/.github/workflows/reusable-sob-validator.yml
index d115be3..15a94d1 100644
--- a/.github/workflows/reusable-sob-validator.yml
+++ b/.github/workflows/reusable-sob-validator.yml
@@ -26,6 +26,10 @@ on:
 jobs:
   validate-signedoff:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-- 
2.52.0