From be0f2acb96add18321cb1b8a57f8feb0137b7a4e Mon Sep 17 00:00:00 2001
From: "Sean T. Allen" <sean@seantallen.com>
Date: Sun, 26 Jan 2025 15:21:54 +0000
Subject: [PATCH] Add minimal permissions to some actions workflows

---
 .github/workflows/add-discuss-during-sync.yml    | 3 +++
 .github/workflows/changelog-bot.yml              | 5 +++++
 .github/workflows/lint-action-workflows.yml      | 5 ++++-
 .github/workflows/release-notes-reminder.yml     | 7 ++++++-
 .github/workflows/release-notes.yml              | 1 +
 .github/workflows/remove-discuss-during-sync.yml | 3 +++
 6 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/add-discuss-during-sync.yml b/.github/workflows/add-discuss-during-sync.yml
index 46d3f134..f04f2e1c 100644
--- a/.github/workflows/add-discuss-during-sync.yml
+++ b/.github/workflows/add-discuss-during-sync.yml
@@ -18,6 +18,9 @@ on:
     types:
       - submitted
 
+permissions:
+  pull-requests: write
+
 jobs:
   add-label:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog-bot.yml b/.github/workflows/changelog-bot.yml
index aede2f39..4149ba45 100644
--- a/.github/workflows/changelog-bot.yml
+++ b/.github/workflows/changelog-bot.yml
@@ -9,6 +9,11 @@ on:
     paths-ignore:
       - CHANGELOG.md
 
+permissions:
+  packages: read
+  pull-requests: read
+  contents: write
+
 jobs:
   changelog-bot:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint-action-workflows.yml b/.github/workflows/lint-action-workflows.yml
index ed595c44..5ef31732 100644
--- a/.github/workflows/lint-action-workflows.yml
+++ b/.github/workflows/lint-action-workflows.yml
@@ -6,6 +6,9 @@ concurrency:
   group: lint-actions-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  packages: read
+
 jobs:
   lint:
     name: Lint
@@ -14,6 +17,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4.1.1
       - name: Check workflow files
-        uses: docker://ghcr.io/ponylang/shared-docker-ci-actionlint:20241206
+        uses: docker://ghcr.io/ponylang/shared-docker-ci-actionlint:20250119
         with:
           args: -color
diff --git a/.github/workflows/release-notes-reminder.yml b/.github/workflows/release-notes-reminder.yml
index ba3c0cda..9ee3644c 100644
--- a/.github/workflows/release-notes-reminder.yml
+++ b/.github/workflows/release-notes-reminder.yml
@@ -2,7 +2,12 @@ name: Release Notes Reminder
 
 on:
   pull_request_target:
-    types: [labeled]
+    types:
+      - labeled
+
+permissions:
+  packages: read
+  pull-requests: write
 
 jobs:
   release-note-reminder:
diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml
index 0f9e100c..120fbf74 100644
--- a/.github/workflows/release-notes.yml
+++ b/.github/workflows/release-notes.yml
@@ -12,6 +12,7 @@ on:
 
 permissions:
   packages: read
+  pull-requests: read
   contents: write
 
 jobs:
diff --git a/.github/workflows/remove-discuss-during-sync.yml b/.github/workflows/remove-discuss-during-sync.yml
index c4d7d6d7..bab8a12f 100644
--- a/.github/workflows/remove-discuss-during-sync.yml
+++ b/.github/workflows/remove-discuss-during-sync.yml
@@ -8,6 +8,9 @@ on:
     types:
       - closed
 
+permissions:
+  pull-requests: write
+
 jobs:
   remove-label:
     runs-on: ubuntu-latest