From 55d320fa8f971e5b4ae7c4c359bff15e15d69dfa Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Thu, 30 Nov 2023 11:56:25 +0100
Subject: [PATCH 1/2] chore(ci): Update permissions in workflows

---
 .github/workflows/on_opened_pr.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 717b9f5acf..32051a53c8 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -18,6 +18,8 @@ jobs:
       workflow_origin: ${{ github.event.repository.full_name }}
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
+    permissions: 
+      pull-requests: read
   check_related_issue:
     permissions:
       issues: read
@@ -39,4 +41,4 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const script = require('.github/scripts/label_missing_related_issue.js')
-            await script({github, context, core})
\ No newline at end of file
+            await script({github, context, core})

From 2a34a41b400134295210eeb3de1ca08e44358053 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Thu, 30 Nov 2023 12:03:33 +0100
Subject: [PATCH 2/2] add contents read

---
 .github/workflows/label_pr_on_title.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 82dcef3f6a..7cc88ada13 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -19,6 +19,7 @@ jobs:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
       workflow_origin: ${{ github.event.repository.full_name }}
     permissions:
+      contents: read
       pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}