From b06dd6830ac063851fbc5d5833785e520d876091 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Mon, 24 Feb 2025 14:20:12 +0100
Subject: [PATCH 1/5] fix(ci): Permissions

---
 .github/workflows/on_label_added.yml | 1 +
 .github/workflows/on_opened_pr.yml   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
index f2f407de4..4d0613a83 100644
--- a/.github/workflows/on_label_added.yml
+++ b/.github/workflows/on_label_added.yml
@@ -12,6 +12,7 @@ permissions:
 jobs:
   get_pr_details:
     permissions:
+    contents: read
       id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index b04f6f1a6..7f281badd 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -13,6 +13,7 @@ jobs:
   get_pr_details:
     permissions:
       id-token: write
+      contents: read
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:

From 2f08893af954ed9ac3bf565a7e3b152421730b01 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Mon, 24 Feb 2025 14:30:21 +0000
Subject: [PATCH 2/5] remove permission

---
 .github/workflows/label_pr_on_title.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index c5712d75c..dfe28cf6d 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -6,9 +6,6 @@ on:
     types:
       - completed
 
-permissions:
-  contents: read
-
 jobs:
   get_pr_details:
     permissions:

From d9369ec127a10bcf77b442bb5cbc967cc2a617d8 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Mon, 24 Feb 2025 14:58:28 +0000
Subject: [PATCH 3/5] I don't know

---
 .github/workflows/label_pr_on_title.yml          | 1 -
 .github/workflows/reusable_export_pr_details.yml | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index dfe28cf6d..31fc59cf3 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -10,7 +10,6 @@ jobs:
   get_pr_details:
     permissions:
       id-token: write
-      contents: read
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
index 904c70560..83de7718f 100644
--- a/.github/workflows/reusable_export_pr_details.yml
+++ b/.github/workflows/reusable_export_pr_details.yml
@@ -43,6 +43,7 @@ jobs:
   export_pr_details:
     permissions:
       id-token: write
+      contents: read
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-dotnet'
     runs-on: ubuntu-latest

From 29eb6e15a2e2762dba76d0c44baaafb34ee300c0 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:45:41 +0000
Subject: [PATCH 4/5] remove permissions

---
 .github/workflows/label_pr_on_title.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 31fc59cf3..4c7c3ddce 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -21,7 +21,6 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
     permissions:
-      contents: read
       id-token: write
     needs: get_pr_details
     runs-on: ubuntu-latest

From 0108cf602610dd6a4e69d53a9b6440cfd2f0a121 Mon Sep 17 00:00:00 2001
From: Simon Thulbourn <sthulb@users.noreply.github.com>
Date: Tue, 25 Feb 2025 13:32:34 +0000
Subject: [PATCH 5/5] update permissions

---
 .github/workflows/label_pr_on_title.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 4c7c3ddce..3fd5d9caa 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -9,7 +9,9 @@ on:
 jobs:
   get_pr_details:
     permissions:
+      contents: read
       id-token: write
+      pull-requests: read
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -21,7 +23,9 @@ jobs:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
     permissions:
+      contents: read
       id-token: write
+      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps: