From 517225b99e5ba2bac068a58208ce9a85402ba9eb Mon Sep 17 00:00:00 2001
From: Step Security Bot <bot@stepsecurity.io>
Date: Wed, 16 Nov 2022 12:44:25 -0800
Subject: [PATCH] ci: add default action permissions (#36363)

* [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* Delete dependabot.yml

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Jeremy Rose <nornagon@nornagon.net>
---
 .github/workflows/electron_woa_testing.yml        | 3 +++
 .github/workflows/issue-labeled.yml               | 6 ++++++
 .github/workflows/release_dependency_versions.yml | 3 +++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/electron_woa_testing.yml b/.github/workflows/electron_woa_testing.yml
index a7667da1afba..3af8d005f3ae 100644
--- a/.github/workflows/electron_woa_testing.yml
+++ b/.github/workflows/electron_woa_testing.yml
@@ -10,6 +10,9 @@ on:
         type: text
         required: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   electron-woa-init:
     if: ${{ github.event_name == 'push' && github.repository == 'electron/electron' }}
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
index 085fec0936a3..11d994585269 100644
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -4,8 +4,14 @@ on:
   issues:
     types: [labeled]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: blocked/need-repro
diff --git a/.github/workflows/release_dependency_versions.yml b/.github/workflows/release_dependency_versions.yml
index 425f4ce4ab96..32806dcc6890 100644
--- a/.github/workflows/release_dependency_versions.yml
+++ b/.github/workflows/release_dependency_versions.yml
@@ -7,6 +7,9 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   check_tag:
     runs-on: ubuntu-latest