From 4f103eadea3a512f78f6c65901179c03c92f9242 Mon Sep 17 00:00:00 2001
From: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Date: Thu, 21 Dec 2023 18:50:35 +0530
Subject: [PATCH] MAINT, ENH: move labeler permissions to the level of the job

 See #19088. These permissions are moved from the level of the workflow to that of the job for security reasons, since this workflow uses the `pull_request_target` event.

[skip cirrus] [skip circle]
---
 .github/workflows/pull-request-labeler.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pull-request-labeler.yml b/.github/workflows/pull-request-labeler.yml
index 64701f33721c..f5c318b43413 100644
--- a/.github/workflows/pull-request-labeler.yml
+++ b/.github/workflows/pull-request-labeler.yml
@@ -4,13 +4,13 @@ on:
 
 # Permissions needed for labelling Pull Requests automatically
 # https://docs.github.com/en/actions/security-guides/automatic-token-authentication
-permissions:
-   contents: read
-   pull-requests: write
 
 jobs:
 
   label_pull_request:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: thomasjpfan/labeler@v2.5.1