From a96a73d0d73ab87e4c9d0ae0db3819fbcdfce2ff Mon Sep 17 00:00:00 2001
From: Daniel Jiang <daniel.jiang@broadcom.com>
Date: Tue, 21 Apr 2026 17:26:57 +0800
Subject: [PATCH] Set permissions to the actions

This commit update the actions  "Auto Assign Author", "Auto Label PRs",
and  "Auto Request Review"

Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>
---
 .github/workflows/auto_assign_prs.yml     | 5 ++++-
 .github/workflows/auto_label_prs.yml      | 5 ++++-
 .github/workflows/auto_request_review.yml | 5 ++++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto_assign_prs.yml b/.github/workflows/auto_assign_prs.yml
index d827b697a..9b915533c 100644
--- a/.github/workflows/auto_assign_prs.yml
+++ b/.github/workflows/auto_assign_prs.yml
@@ -7,6 +7,10 @@ on:
   pull_request_target:
     types: [opened, reopened, ready_for_review]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   # Automatically assigns reviewers and owner
   add-reviews:
@@ -16,4 +20,3 @@ jobs:
         uses: kentaro-m/auto-assign-action@v2.0.0
         with:
           configuration-path: ".github/auto-assignees.yml"
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/auto_label_prs.yml b/.github/workflows/auto_label_prs.yml
index a5d912af8..042cc7e95 100644
--- a/.github/workflows/auto_label_prs.yml
+++ b/.github/workflows/auto_label_prs.yml
@@ -8,6 +8,10 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, ready_for_review]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   # Automatically labels PRs based on file globs in the change.
   triage:
@@ -15,5 +19,4 @@ jobs:
     steps:
       - uses: actions/labeler@v5
         with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler.yml
diff --git a/.github/workflows/auto_request_review.yml b/.github/workflows/auto_request_review.yml
index 83e7032ab..ba64d151d 100644
--- a/.github/workflows/auto_request_review.yml
+++ b/.github/workflows/auto_request_review.yml
@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [opened, ready_for_review, reopened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   auto-request-review:
     name: Auto Request Review
@@ -13,5 +17,4 @@ jobs:
       - name: Request a PR review based on files types/paths, and/or groups the author belongs to
         uses: necojackarc/auto-request-review@v0.13.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           config: .github/auto-assignees.yml