Set top and job level permissions for janitor.yml

It seems that the janitor.yml workflow only needs pull-requests: write permission -- to close the PRs. I've also granted the contents: read just in case. PiperOrigin-RevId: 561444486
1 year ago · a3dfe32eeb
parent 403a32d0ab
commit a3dfe32eeb
1 changed files with 5 additions and 0 deletions
--- a/.github/workflows/janitor.yml
+++ b/.github/workflows/janitor.yml
@ -6,10 +6,15 @@ on:
    - cron: 0 10 * * *
  workflow_dispatch:

+permissions: {}
+
 jobs:
  stale-prs:
    name: Close Stale Copybara PRs
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # to allow closing the PR
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      GH_REPO: ${{ github.repository }}