build: harden GitHub workflow permissions

[openwrt/staging/jow.git] / .github / workflows / labeler.yml

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89288836ca1b2b676b9b69ad9821afde..420617809b668068d255838bb7f5bcc6650b6c17 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps: