From 5bcc1bf189a14c500c669298497ce2b728eb7212 Mon Sep 17 00:00:00 2001
From: Nolan Brubaker <nolan@nbrubaker.com>
Date: Mon, 26 Aug 2024 11:21:56 -0400
Subject: [PATCH] Fix permissions for GitHub Actions jobs

* Dependabot needs to be able to update PRs it creates
* The pr-verify job needs to be able to write to the checks API

Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
---
 .github/workflows/dependabot.yml | 4 ++++
 .github/workflows/pr-verify.yml  | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
index 20a6fd7993..e72e95c02b 100644
--- a/.github/workflows/dependabot.yml
+++ b/.github/workflows/dependabot.yml
@@ -13,6 +13,10 @@ on:
           description: 'Run code generation manually from GH CLI'
           required: true
           default: 'Make Generate'
+
+permissions:
+  contents: write # Allow actions to update dependabot PRs
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml
index 0198b590bb..51e8acaaf3 100644
--- a/.github/workflows/pr-verify.yml
+++ b/.github/workflows/pr-verify.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  checks: write
+
 jobs:
   verify:
     runs-on: ubuntu-latest