MAINT, ENH: move labeler permissions to the level of the job

See scipy#19088. These permissions are moved from the level of the workflow to that of the job for security reasons, since this workflow uses the `pull_request_target` event. [skip cirrus] [skip circle]
agriyakhetarpal · Dec 21, 2023 · 4f103ea · 4f103ea
1 parent e72de07
commit 4f103ea
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/.github/workflows/pull-request-labeler.yml b/.github/workflows/pull-request-labeler.yml
@@ -4,13 +4,13 @@ on:
 
 # Permissions needed for labelling Pull Requests automatically
 # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
-permissions:
-   contents: read
-   pull-requests: write
 
 jobs:
 
   label_pull_request:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: thomasjpfan/labeler@v2.5.1