From fe565c283dfe2423e7487d5890a34494f7a182fc Mon Sep 17 00:00:00 2001
From: Florian Greinacher <florian@greinacher.de>
Date: Fri, 3 May 2024 14:26:52 +0200
Subject: [PATCH] ci: define permissions for contributing comment workflow

Explicitely stating required permissions is considered best practice.
This case was detected by Poutine, see
https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/default_permissions_on_risky_events.md.

Signed-off-by: Florian Greinacher <florian.greinacher@siemens.com>
---
 .github/workflows/contributing.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/contributing.yml b/.github/workflows/contributing.yml
index a5164fb82..42c6f9127 100644
--- a/.github/workflows/contributing.yml
+++ b/.github/workflows/contributing.yml
@@ -7,6 +7,10 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read # for reading contributing file
+  issues: write # for posting PR comment
+
 jobs:
   comment:
     runs-on: ubuntu-latest