From cfb33f1a41cec670999d740cbcb8a5a9b50e2b6f Mon Sep 17 00:00:00 2001
From: Javier Bullrich <javier@bullrich.dev>
Date: Mon, 15 Jul 2024 11:17:28 +0200
Subject: [PATCH] added scoped permissions to the github tokens

---
 .github/workflows/command-bench-all.yml      | 3 +++
 .github/workflows/command-bench-overhead.yml | 3 +++
 .github/workflows/command-bench.yml          | 3 +++
 .github/workflows/command-fmt.yml            | 3 +++
 .github/workflows/command-sync.yml           | 3 +++
 .github/workflows/command-update-ui.yml      | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/command-bench-all.yml b/.github/workflows/command-bench-all.yml
index 6aa4f6f7ff00..4128f86fb7c8 100644
--- a/.github/workflows/command-bench-all.yml
+++ b/.github/workflows/command-bench-all.yml
@@ -66,6 +66,9 @@ jobs:
     runs-on: arc-runners-polkadot-sdk-weights
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/command-bench-overhead.yml b/.github/workflows/command-bench-overhead.yml
index 16cbcefcf269..fec8d37bb9ef 100644
--- a/.github/workflows/command-bench-overhead.yml
+++ b/.github/workflows/command-bench-overhead.yml
@@ -45,6 +45,9 @@ jobs:
     runs-on: arc-runners-polkadot-sdk-benchmark
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/command-bench.yml b/.github/workflows/command-bench.yml
index b23b06d1b3c0..ac879f443755 100644
--- a/.github/workflows/command-bench.yml
+++ b/.github/workflows/command-bench.yml
@@ -91,6 +91,9 @@ jobs:
     runs-on: arc-runners-polkadot-sdk-benchmark
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/command-fmt.yml b/.github/workflows/command-fmt.yml
index c949d0768d7a..586b8c77f274 100644
--- a/.github/workflows/command-fmt.yml
+++ b/.github/workflows/command-fmt.yml
@@ -23,6 +23,9 @@ jobs:
     timeout-minutes: 20
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/command-sync.yml b/.github/workflows/command-sync.yml
index fa5bb9eaf912..c610f4066a87 100644
--- a/.github/workflows/command-sync.yml
+++ b/.github/workflows/command-sync.yml
@@ -38,6 +38,9 @@ jobs:
     runs-on: arc-runners-polkadot-sdk-warpsync
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/command-update-ui.yml b/.github/workflows/command-update-ui.yml
index b6b0420e7868..860177adc879 100644
--- a/.github/workflows/command-update-ui.yml
+++ b/.github/workflows/command-update-ui.yml
@@ -26,6 +26,9 @@ jobs:
     timeout-minutes: 90
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Download repo
         uses: actions/checkout@v4