From ca0891ec2a6074f79b17b1000e4fc91d48971d34 Mon Sep 17 00:00:00 2001
From: Bill Glesias <bglesias@gmail.com>
Date: Fri, 19 Jan 2024 08:56:23 -0500
Subject: [PATCH] chore: set GH_TOKEN permissions on the job that only allow
 the semantic pull request job, that runs with pull_request_target, to have
 access to read the repository contents and pull-requests contents. The token
 does not have write permissions and has disabled read permissions on contexts
 that are not needed for the job (#28749)

---
 .github/workflows/semantic-pull-request.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/semantic-pull-request.yml b/.github/workflows/semantic-pull-request.yml
index 8b61f18f8f61..dd874a65ae24 100644
--- a/.github/workflows/semantic-pull-request.yml
+++ b/.github/workflows/semantic-pull-request.yml
@@ -1,5 +1,21 @@
 name: "Semantic Pull Request"
-
+# @see https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions:
+  actions: none
+  checks: none
+  # to check out & read the repository
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  # to read pull-request data, including commits/issues linked
+  pull-requests: read
+  repository-projects: none
+  security-events: none
+  statuses: none
 on:
   pull_request_target:
     types: