From 61a0f02d1be387f44fd3913316ada5cfd9924973 Mon Sep 17 00:00:00 2001
From: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Date: Mon, 27 Nov 2023 12:39:34 -0300
Subject: [PATCH]  Set minimal tokens for auto_approve_pr (#14534)

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 .github/workflows/auto_approve_pr.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto_approve_pr.yml b/.github/workflows/auto_approve_pr.yml
index 552f1ec2e68..115e648c3d2 100644
--- a/.github/workflows/auto_approve_pr.yml
+++ b/.github/workflows/auto_approve_pr.yml
@@ -3,14 +3,20 @@ on:
   pull_request:
     types: [opened, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   auto_approve:
     name: Auto Approve Pull Request
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write  # only given on local PRs, forks run with `read` access
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
-
       - name: Auto Approve Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}