From e6b95fbba9eeb7e75b31c3393683b4da6f0ab5e8 Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Sat, 1 Feb 2025 11:56:43 -0800
Subject: [PATCH] Restrict GITHUB_TOKEN default permission

---
 .github/repository-settings.md         | 5 +++++
 .github/workflows/assign-reviewers.yml | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/.github/repository-settings.md b/.github/repository-settings.md
index 00bcbb91dfcb..cf7f6bb86d01 100644
--- a/.github/repository-settings.md
+++ b/.github/repository-settings.md
@@ -18,6 +18,11 @@ settings](https://github.com/open-telemetry/community/blob/main/docs/how-to-conf
   (To reduce friction for new contributors,
   as the default is "Require approval for first-time contributors")
 
+- Workflow permissions
+  - Default permissions granted to the `GITHUB_TOKEN` when running workflows in this repository:
+    Read repository contents and packages permissions
+  - Allow GitHub Actions to create and approve pull requests: UNCHECKED
+
 ## Branch protections
 
 The order of branch protection rules
diff --git a/.github/workflows/assign-reviewers.yml b/.github/workflows/assign-reviewers.yml
index e22123762fff..d63de2cfac41 100644
--- a/.github/workflows/assign-reviewers.yml
+++ b/.github/workflows/assign-reviewers.yml
@@ -8,8 +8,14 @@ on:
   # because repository write permission is needed to assign reviewers
   pull_request_target:
 
+permissions:
+  contents: read
+
 jobs:
   assign-reviewers:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: trask/component-owners@02dfde3c03025c064cc6961975e28a42e81c394a # main