From 909e19e63d7989eaaf60db630b46bc15c2944a1c Mon Sep 17 00:00:00 2001
From: kirkrodrigues <2454684+kirkrodrigues@users.noreply.github.com>
Date: Thu, 12 Dec 2024 11:02:56 -0500
Subject: [PATCH] ci(pr-title-checks): Remove default GH workflow permissions
 and document risk of `pull_request_target` workflow trigger. (#633)

---
 .github/workflows/clp-pr-title-checks.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/clp-pr-title-checks.yaml b/.github/workflows/clp-pr-title-checks.yaml
index 428e9f21d..1c8ced072 100644
--- a/.github/workflows/clp-pr-title-checks.yaml
+++ b/.github/workflows/clp-pr-title-checks.yaml
@@ -2,9 +2,16 @@ name: "clp-pr-title-checks"
 
 on:
   pull_request_target:
+    # NOTE: Workflows triggered by this event give the workflow access to secrets and grant the
+    # `GITHUB_TOKEN` read/write repository access by default. So we need to ensure:
+    # - This workflow doesn't inadvertently check out, build, or execute untrusted code from the
+    #   pull request triggered by this event.
+    # - Each job has `permissions` set to only those necessary.
     types: ["edited", "opened", "reopened"]
     branches: ["main"]
 
+permissions: {}
+
 concurrency:
   group: "${{github.workflow}}-${{github.ref}}"