[arm-auto-signoff] Add permission "statuses: read" (#36551)

- replaces previous premission "checks: read"

Author: mikeharder

.github/workflows/arm-auto-signoff.yaml

@@ -16,11 +16,17 @@ on:
     types: [completed]
 
 permissions:
+  # actions.listWorkflowRunsForRepo
+  # actions.listWorkflowRunArtifacts
   actions: read
-  checks: read
+  # default
   contents: read
+  # issues.listLabelsOnIssue
   issues: read
+  # issues.listLabelsOnIssue
   pull-requests: read
+  # repos.listCommitStatusesForRef
+  statuses: read
 
 jobs:
   arm-auto-signoff:

.github/workflows/src/arm-auto-signoff.js

@@ -56,6 +56,7 @@ export async function getLabelActionImpl({ owner, repo, issue_number, head_sha,
   };
 
   // TODO: Try to extract labels from context (when available) to avoid unnecessary API call
+  // permissions: { issues: read, pull-requests: read }
   const labels = await github.paginate(github.rest.issues.listLabelsOnIssue, {
     owner: owner,
     repo: repo,
@@ -72,6 +73,7 @@ export async function getLabelActionImpl({ owner, repo, issue_number, head_sha,
 
   core.info(`Labels: ${labelNames}`);
 
+  // permissions: { actions: read }
   const workflowRuns = await github.paginate(github.rest.actions.listWorkflowRunsForRepo, {
     owner,
     repo,
@@ -106,6 +108,7 @@ export async function getLabelActionImpl({ owner, repo, issue_number, head_sha,
         return removeAction;
       }
 
+      // permissions: { actions: read }
       const artifacts = await github.paginate(github.rest.actions.listWorkflowRunArtifacts, {
         owner,
         repo,
@@ -143,6 +146,7 @@ export async function getLabelActionImpl({ owner, repo, issue_number, head_sha,
     return removeAction;
   }
 
+  // permissions: { statuses: read }
   const statuses = await github.paginate(github.rest.repos.listCommitStatusesForRef, {
     owner: owner,
     repo: repo,