From 0757cc74a44ef6c33b191c6543d213c47ce44648 Mon Sep 17 00:00:00 2001
From: Abram Sanderson <absander@microsoft.com>
Date: Tue, 23 Jan 2024 13:22:09 -0800
Subject: [PATCH] Add permissions block to changeset workflows

---
 .github/workflows/changeset-reporter.yml | 3 +++
 .github/workflows/pr-check-changeset.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/changeset-reporter.yml b/.github/workflows/changeset-reporter.yml
index 7511d4f0dc08..b7ceb5aeeac7 100644
--- a/.github/workflows/changeset-reporter.yml
+++ b/.github/workflows/changeset-reporter.yml
@@ -14,6 +14,9 @@ on:
 jobs:
   load_report:
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
         with:
diff --git a/.github/workflows/pr-check-changeset.yml b/.github/workflows/pr-check-changeset.yml
index ff714e2f019d..c00d2ce4c2dd 100644
--- a/.github/workflows/pr-check-changeset.yml
+++ b/.github/workflows/pr-check-changeset.yml
@@ -11,6 +11,9 @@ on:
   pull_request:
     types: [labeled, unlabeled, opened, synchronize, reopened]
 
+permissions:
+  pull-requests: read
+
 jobs:
   # When a PR has the changeset-required label, check if it has a changeset.
   changeset-required: