From 4949f12dcdff3329c6ec422081c8c693149c8abd Mon Sep 17 00:00:00 2001
From: Stephen Morgan <stephen@doublethink.co.nz>
Date: Thu, 10 Apr 2025 16:39:30 +1200
Subject: [PATCH] ci: explicit permissions on actions revoke
 pull_request_target

---
 .github/workflows/ci.yml                   | 3 +++
 .github/workflows/conventional-commits.yml | 3 +++
 .github/workflows/stale.yml                | 5 +++++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ad78336..b48b36d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test / OS ${{ matrix.os }} / Python ${{ matrix.python-version }}
diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
index 71e0e1d..065c5c3 100644
--- a/.github/workflows/conventional-commits.yml
+++ b/.github/workflows/conventional-commits.yml
@@ -16,6 +16,9 @@ on:
       - reopened
       - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   check-conventional-commits:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index fc68e63..a7e3641 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -4,6 +4,11 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 jobs:
   mark_stale:
     name: Mark issues and PRs as Stale