shaka-project · joeyparrish · Dec 9, 2024 · Dec 9, 2024
diff --git a/set-commit-status/README.md b/set-commit-status/README.md
@@ -6,6 +6,11 @@ from workflows with non-PR triggers (such as manually-triggered workflows).
 To use this in a step, write something like:
 
 ```yaml
+    permissions:
+      # "Write" to statuses to update commit status
+      statuses: write
+
+    steps:
       - name: Report final commit status
         # Will run on success or failure, but not if the workflow is cancelled
         # or if we were asked to ignore the test status.
@@ -17,3 +22,8 @@ To use this in a step, write something like:
           state: ${{ job.status }}
           token: ${{ secrets.GITHUB_TOKEN }}
 ```
+
+## Permissions
+
+A GitHub-generated token requires "write" permission to "statuses" to be able to
+set the commit status.
diff --git a/sync-labels/sync-labels.yaml b/sync-labels/sync-labels.yaml
@@ -16,6 +16,11 @@ on:
 jobs:
   sync-labels:
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to Issues to manage labels for the repo
+      issues: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

diff --git a/update-issues/update-issues.yaml b/update-issues/update-issues.yaml
@@ -15,6 +15,13 @@ permissions:
 jobs:
   update-issues:
     runs-on: ubuntu-latest
+
+    permissions:
+      # "Write" to Issues to add labels, milestones, comments, etc.
+      issues: write
+      # "Write" to Pull Requests for the same.
+      pull-requests: write
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4