build: harden bot-pr-new.yaml permissions

sashashura · sashashura · commit 57331603c059 · 2022-11-03T20:54:59.000+02:00
Signed-off-by: Alex &lt;aleksandrosansan@gmail.com&gt;
diff --git a/.github/workflows/bot-pr-new.yaml b/.github/workflows/bot-pr-new.yaml
@@ -6,8 +6,15 @@ on:
   repository_dispatch:
     types: [opened, reopened]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   comment-welcome:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      pull-requests: write  #  to comment on pull-request
+
     if: ${{ github.actor == 'tfdocsbot' }}
     runs-on: ubuntu-latest
     steps:
