From a50948a1150ab418c6b1f188f17dcbcaf583a246 Mon Sep 17 00:00:00 2001
From: Claas Augner <caugner@mozilla.com>
Date: Thu, 16 Oct 2025 16:57:18 +0200
Subject: [PATCH 1/2] ci(workflows): assign explicit permissions

---
 .github/workflows/auto-merge.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index 78e0e826..ed91a006 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -3,6 +3,10 @@ name: auto-merge
 on:
   pull_request_target:
 
+permissions:
+  # Label pull requests.
+  pull-requests: write
+
 jobs:
   auto-merge:
     uses: mdn/workflows/.github/workflows/auto-merge.yml@main

From 462f32fac0b7e041a86c01f981be27616280a34b Mon Sep 17 00:00:00 2001
From: Claas Augner <495429+caugner@users.noreply.github.com>
Date: Thu, 16 Oct 2025 18:03:20 +0200
Subject: [PATCH 2/2] ci(auto-merge): remove permissions

---
 .github/workflows/auto-merge.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index ed91a006..58ee62e9 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -3,9 +3,8 @@ name: auto-merge
 on:
   pull_request_target:
 
-permissions:
-  # Label pull requests.
-  pull-requests: write
+# No GITHUB_TOKEN permissions, as we use AUTOMERGE_TOKEN instead.
+permissions: {}
 
 jobs:
   auto-merge: