From ec2ebb3f04c9846d8dd37a0b5affa82d7b67a6ea Mon Sep 17 00:00:00 2001
From: Huy Do <huydhn@gmail.com>
Date: Thu, 11 Jan 2024 18:52:50 -0800
Subject: [PATCH 1/3] Clean up AWS credentials

---
 .github/workflows/build-test.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 7cdeb43ebb..5573bb8d28 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -26,6 +26,9 @@ jobs:
 
   build:
     needs: generate-matrix
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -50,9 +53,6 @@ jobs:
       package-name: ${{ matrix.package-name }}
       smoke-test-script: ${{ matrix.smoke-test-script }}
       trigger-event: ${{ github.event_name }}
-    secrets:
-      AWS_PYTORCH_UPLOADER_ACCESS_KEY_ID: ${{ secrets.AWS_PYTORCH_UPLOADER_ACCESS_KEY_ID }}
-      AWS_PYTORCH_UPLOADER_SECRET_ACCESS_KEY: ${{ secrets.AWS_PYTORCH_UPLOADER_SECRET_ACCESS_KEY }}
 
   tests-py-torchscript-fe:
     name: Test torchscript frontend [Python]

From fd6b98cd9b9931a921323b6df9cddbc24d58d233 Mon Sep 17 00:00:00 2001
From: Huy Do <huydhn@gmail.com>
Date: Fri, 12 Jan 2024 15:01:22 -0800
Subject: [PATCH 2/3] Grant PR write access to token in label and assigner
 workflows

---
 .github/workflows/assigner.yml | 3 +++
 .github/workflows/label.yml    | 7 ++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/assigner.yml b/.github/workflows/assigner.yml
index 4970b56728..2b65e554b1 100644
--- a/.github/workflows/assigner.yml
+++ b/.github/workflows/assigner.yml
@@ -16,6 +16,9 @@ on:
 
 jobs:
   assign:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index 10016c4a0b..db4b777dfc 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -10,11 +10,12 @@ on: [pull_request_target]
 
 jobs:
   label:
-
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/labeler@v2
+    - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         configuration-path: .github/pr-labels.yml

From faea0ead09733fea3cc0c557be47793dc4a5c050 Mon Sep 17 00:00:00 2001
From: Huy Do <huydhn@gmail.com>
Date: Fri, 12 Jan 2024 15:03:35 -0800
Subject: [PATCH 3/3] Revert "Clean up AWS credentials"

This reverts commit ec2ebb3f04c9846d8dd37a0b5affa82d7b67a6ea.
---
 .github/workflows/build-test.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 5573bb8d28..7cdeb43ebb 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -26,9 +26,6 @@ jobs:
 
   build:
     needs: generate-matrix
-    permissions:
-      id-token: write
-      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -53,6 +50,9 @@ jobs:
       package-name: ${{ matrix.package-name }}
       smoke-test-script: ${{ matrix.smoke-test-script }}
       trigger-event: ${{ github.event_name }}
+    secrets:
+      AWS_PYTORCH_UPLOADER_ACCESS_KEY_ID: ${{ secrets.AWS_PYTORCH_UPLOADER_ACCESS_KEY_ID }}
+      AWS_PYTORCH_UPLOADER_SECRET_ACCESS_KEY: ${{ secrets.AWS_PYTORCH_UPLOADER_SECRET_ACCESS_KEY }}
 
   tests-py-torchscript-fe:
     name: Test torchscript frontend [Python]