From d6813600d5c130895da31a4a5d60ca7a37ae051e Mon Sep 17 00:00:00 2001
From: "Luke W. Johnston" <lwjohnst@gmail.com>
Date: Thu, 24 Jul 2025 14:07:55 +0200
Subject: [PATCH] refactor: :recycle: limit permissions used in workflow

---
 template/.github/workflows/add-to-project.yml.jinja | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/template/.github/workflows/add-to-project.yml.jinja b/template/.github/workflows/add-to-project.yml.jinja
index 6ecc2ac..955b8d5 100644
--- a/template/.github/workflows/add-to-project.yml.jinja
+++ b/template/.github/workflows/add-to-project.yml.jinja
@@ -11,12 +11,14 @@ on:
       - reopened
       - opened
 
-permissions:
-  pull-requests: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   add-to-project:
     uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    permissions:
+      pull-requests: write
     with:
       board-number: {{ github_board_number }}
       app-id: {{ '${{ vars.ADD_TO_BOARD_APP_ID }}' }}