From a3dfe32eebfb1b989da1ca77ac5bddb4d49fadb1 Mon Sep 17 00:00:00 2001
From: Protobuf Team Bot <protobuf-github-bot@google.com>
Date: Wed, 30 Aug 2023 14:07:16 -0700
Subject: [PATCH] Set top and job level permissions for janitor.yml

It seems that the janitor.yml workflow only needs pull-requests: write permission -- to close the PRs. I've also granted the contents: read just in case.

PiperOrigin-RevId: 561444486
---
 .github/workflows/janitor.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/janitor.yml b/.github/workflows/janitor.yml
index 2d0d2325ea..3e01e3799c 100644
--- a/.github/workflows/janitor.yml
+++ b/.github/workflows/janitor.yml
@@ -6,10 +6,15 @@ on:
     - cron: 0 10 * * *
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   stale-prs:
     name: Close Stale Copybara PRs
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write # to allow closing the PR
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}