From 986f3e7eff3bc8d046d45a5c83ba1fef9713e908 Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Thu, 16 Oct 2025 17:48:23 +0200
Subject: [PATCH] ci(workflows): assign explicit permissions

---
 .github/workflows/auto-merge.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index f3f223df9..10d6866e6 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -3,10 +3,13 @@ name: auto-merge
 on:
   pull_request_target:
 
+# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead.
+permissions: {}
+
 jobs:
   auto-merge:
     uses: mdn/workflows/.github/workflows/auto-merge.yml@main
     with:
-      target-repo: 'mdn/todo-react'
+      target-repo: "mdn/todo-react"
     secrets:
       GH_TOKEN: ${{ secrets.AUTOMERGE_TOKEN }}