From ea2e5243e2c59457a5a6cbe9f2344f824d8514b7 Mon Sep 17 00:00:00 2001
From: Aaron Dewes <aaron@nirvati.org>
Date: Sun, 26 Jan 2025 10:14:52 +0100
Subject: [PATCH] Improve sandboxing of `pull_request_target` workflow

This restricts the action to be no longer able to push content, so it can only comment on PRs or open and close (not merge) them.

This means that even if someone manages to bypass the sandboxing somehow, they can not really exploit this workflow to extract secrets etc.
---
 .github/workflows/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6f45ada2..8296f5b8 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,6 +9,10 @@ on:
     branches:
       - master
 
+permissions:
+  pull-requests: write
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest