From 491759dfd9812b35473081c37d9d8bee47199a6c Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Wed, 29 Nov 2023 09:27:33 +0100
Subject: [PATCH 1/2] chore(ci): Permissions work

---
 .github/workflows/label_pr_on_title.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index d8535a599a..82dcef3f6a 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -18,6 +18,8 @@ jobs:
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
       workflow_origin: ${{ github.event.repository.full_name }}
+    permissions:
+      pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
@@ -40,4 +42,4 @@ jobs:
           # and label PR based on semantic title accordingly
           script: |
             const script = require('.github/scripts/label_pr_based_on_title.js')
-            await script({github, context, core})
\ No newline at end of file
+            await script({github, context, core})

From ea98922a967d5e85672f7373c4db52a4b57427a8 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Wed, 29 Nov 2023 09:29:35 +0100
Subject: [PATCH 2/2] Update on-merge-to-main.yml

---
 .github/workflows/on-merge-to-main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
index e32eddef02..0b25dacfdd 100644
--- a/.github/workflows/on-merge-to-main.yml
+++ b/.github/workflows/on-merge-to-main.yml
@@ -16,6 +16,7 @@ jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     permissions:
+      contents: read
       pull-requests: read
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with: