From a71452b6029139f686230191e5507c620741a1f8 Mon Sep 17 00:00:00 2001
From: George Adams <georgeadams1995@gmail.com>
Date: Fri, 9 Aug 2024 14:21:19 +0100
Subject: [PATCH] fix permissions

---
 .github/workflows/auto-merge.yml            | 3 ++-
 .github/workflows/code-freeze.yml           | 4 +++-
 .github/workflows/dependabot-auto-merge.yml | 3 ++-
 .github/workflows/scorecards.yml            | 4 ++--
 .github/workflows/updater.yml               | 3 ++-
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index fc7453a6d..7edd13baa 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -4,7 +4,8 @@ on:
   pull_request:
     types: [labeled]
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   automerge:
diff --git a/.github/workflows/code-freeze.yml b/.github/workflows/code-freeze.yml
index f14e3ad89..039a2a619 100644
--- a/.github/workflows/code-freeze.yml
+++ b/.github/workflows/code-freeze.yml
@@ -19,7 +19,9 @@ on:
   issue_comment:
     types: [created]
 
-permissions: read-all
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
   # Check if the pull request target branch matches the required branch-regex?
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index 2f75be406..adcd6b5c3 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -1,7 +1,8 @@
 name: Dependabot auto-merge
 on: pull_request_target
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   dependabot:
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 3688dc46e..de602cf36 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -14,8 +14,8 @@ on:
   push:
     branches: ["main"]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
diff --git a/.github/workflows/updater.yml b/.github/workflows/updater.yml
index d7c04a3b9..222ca060a 100644
--- a/.github/workflows/updater.yml
+++ b/.github/workflows/updater.yml
@@ -5,7 +5,8 @@ on:
     # Runs every half hour
     - cron: "*/30 * * * *"
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   update_dockerfile: