Added permissions for GitHub workflow config (#6791)

* Added permissions for GitHub workflow config

* Added a changelog entry

---------

Co-authored-by: Bryan Kendall <[email protected]>

Author: aalej

CHANGELOG.md

@@ -4,3 +4,4 @@
     that this is a preview feature and if you find any bugs, please file them
     here: <https://github.com/firebase/firebase-tools/issues>.
 - Improve FAH onboarding flow to connect backends with SCMs (#6764).
+- Fixed issue where GitHub actions would fail due to lack of permission. (#6791)

src/init/features/hosting/github.ts

@@ -277,6 +277,7 @@ function mkdirNotExists(dir: string): void {
 type GitHubWorkflowConfig = {
   name: string;
   on: string | { [key: string]: { [key: string]: string[] } };
+  permissions?: string | { [key: string]: string };
   jobs: {
     [key: string]: {
       if?: string;
@@ -300,6 +301,11 @@ function writeChannelActionYMLFile(
   const workflowConfig: GitHubWorkflowConfig = {
     name: "Deploy to Firebase Hosting on PR",
     on: "pull_request",
+    permissions: {
+      checks: "write",
+      contents: "read",
+      "pull-requests": "write",
+    },
     jobs: {
       ["build_and_preview"]: {
         if: "${{ github.event.pull_request.head.repo.full_name == github.repository }}", // secrets aren't accessible on PRs from forks