ci: configure permissions for the pr-checklist workflow (semgrep#8785)

The PR checklist workflow seems to fail when dependabot creates a PR. According to dependabot's documentation (https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions), dependabot defaults to read-only permissions, so I'm configuring the workflow config to also add write permissions. I'm not sure how to test this except wait until next week when dependabot is triggered again, but I think this is low risk and it seems to be what others have tried (marocchino/sticky-pull-request-comment#930) and succeeded.
cretoxyrhina · Oct 17, 2023 · 862a499 · 862a499
1 parent 37f39a3
commit 862a499
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/pr-checklist.yaml b/.github/workflows/pr-checklist.yaml
@@ -28,6 +28,16 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+# This permission is needed to comment on a PR. Some GitHub bots
+# such as dependabot only have read permission by default.
+#
+# See:
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#changing-github_token-permissions
+#
+# Without this permission, this workflow will fail in those cases.
+permissions:
+  pull-requests: write
+
 jobs:
   add-checklist-comment:
     runs-on: ubuntu-latest