From 7cba328d73d8e6367b44650f620d95104bdea50e Mon Sep 17 00:00:00 2001
From: Ee Durbin <ewdurbin@gmail.com>
Date: Sat, 21 May 2022 03:54:14 -0400
Subject: [PATCH] set minimum token permissions for github workflows

---
 .github/workflows/ci.yml          | 2 ++
 .github/workflows/combine-prs.yml | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bbd1184c9878..9b5f99543b60 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
     branches:
       - main
   pull_request:
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
diff --git a/.github/workflows/combine-prs.yml b/.github/workflows/combine-prs.yml
index e0b360e53f4c..17f7f55b1a2e 100644
--- a/.github/workflows/combine-prs.yml
+++ b/.github/workflows/combine-prs.yml
@@ -15,6 +15,9 @@ on:
         required: true
         default: 'combine-prs-branch'
 
+permissions:
+  pull-requests: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "combine-prs"