From 628191e673a55be53eabcacd3e9dc6a18aa630dd Mon Sep 17 00:00:00 2001
From: Vikas Mallapura <5373156+vikasmb@users.noreply.github.com>
Date: Wed, 18 Aug 2021 09:49:24 -0700
Subject: [PATCH 1/2] Change github_token permission

---
 .github/workflows/forked-pr-tests.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/forked-pr-tests.yml b/.github/workflows/forked-pr-tests.yml
index cdc4c62a04..d77bab04f0 100644
--- a/.github/workflows/forked-pr-tests.yml
+++ b/.github/workflows/forked-pr-tests.yml
@@ -8,6 +8,9 @@ on:
         default: ''
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   # Repo owner has triggered this run
   integration-fork:

From 82bb02286a85cc7c54a9b9e179929cc07f82eb5c Mon Sep 17 00:00:00 2001
From: Vikas Mallapura <5373156+vikasmb@users.noreply.github.com>
Date: Wed, 18 Aug 2021 11:23:10 -0700
Subject: [PATCH 2/2] - Modified permissions for github_token in cron and integ
 test workflow - Modified integ test workflow to run on push to master and
 release branches

---
 .github/workflows/cron-test.yml         |  3 +++
 .github/workflows/integration-tests.yml | 12 ++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cron-test.yml b/.github/workflows/cron-test.yml
index 71c8c04b91..146b6fb356 100644
--- a/.github/workflows/cron-test.yml
+++ b/.github/workflows/cron-test.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 3 * * *"  # every night
 
+permissions:
+  contents: read
+
 jobs:
   # Run nightly e2e tests on self-hosted runner
   integration-cron:
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
index 188ca2da99..1438ab0d6d 100644
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -1,12 +1,16 @@
 name: Integration tests
 
 on:
-  # Run on every pull request
-  pull_request_target:
-    branches: [ master ]
+  # Runs on push to master or release branches
+  push:
+    branches:
+      - 'master'
+      - 'release*'
+
+permissions:
+  contents: read
 
 jobs:
-  # Branch-based pull request from this repo
   integration-trusted:
     runs-on: self-hosted
     steps: