From 4c4ed106a473addb38b0c42ae168ef4299bd3ca0 Mon Sep 17 00:00:00 2001
From: Nicola Soranzo <nicola.soranzo@earlham.ac.uk>
Date: Tue, 21 May 2024 12:40:22 +0100
Subject: [PATCH] Use job permissions instead of token

---
 .github/workflows/labels-verifier.yaml | 3 ++-
 .github/workflows/maintenance_bot.yaml | 9 ++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/labels-verifier.yaml b/.github/workflows/labels-verifier.yaml
index 484040885dd8..415942a371d1 100644
--- a/.github/workflows/labels-verifier.yaml
+++ b/.github/workflows/labels-verifier.yaml
@@ -5,6 +5,8 @@ on:
 jobs:
   onMerged:
     name: "Check Labels on merge"
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - name: Check Labels on merge
@@ -15,7 +17,6 @@ jobs:
           ! contains(github.event.pull_request.labels.*.name, 'minor')
         uses: actions/github-script@v6
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             github.rest.issues.createComment({
               owner: context.repo.owner,
diff --git a/.github/workflows/maintenance_bot.yaml b/.github/workflows/maintenance_bot.yaml
index d307e97d5ac7..3ff2d86d6f86 100644
--- a/.github/workflows/maintenance_bot.yaml
+++ b/.github/workflows/maintenance_bot.yaml
@@ -6,6 +6,9 @@ jobs:
   labeler:
     name: Assign labels and milestone
     if: github.repository_owner == 'galaxyproject'
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     env:
       MILESTONE_NUMBER: 27
@@ -14,7 +17,6 @@ jobs:
         id: get_pr_labels
         uses: actions/github-script@v6
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const response = await github.rest.issues.listLabelsOnIssue({
               owner: context.repo.owner,
@@ -25,9 +27,7 @@ jobs:
             return response.data;
       - name: Add area labels
         if: ${{ ! contains(join(fromJSON(steps.get_pr_labels.outputs.result).*.name, ', '), 'area/') }}
-        uses: actions/labeler@v4
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+        uses: actions/labeler@v5
       - name: Assign milestone
         if: |
           ! github.event.pull_request.milestone &&
@@ -37,7 +37,6 @@ jobs:
           ! github.event.pull_request.draft
         uses: actions/github-script@v6
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             github.rest.issues.update({
               owner: context.repo.owner,