fix(ci): Permissions (#782)

* fix(ci): Permissions

* remove permission

* I don't know

* remove permissions

* update permissions

---------

Co-authored-by: Henrique Graca <999396+hjgraca@users.noreply.github.com>

Author: sthulb

.github/workflows/label_pr_on_title.yml

@@ -6,14 +6,12 @@ on:
     types:
       - completed
 
-permissions:
-  contents: read
-
 jobs:
   get_pr_details:
     permissions:
-      id-token: write
       contents: read
+      id-token: write
+      pull-requests: read
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -27,6 +25,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:

.github/workflows/on_label_added.yml

@@ -12,6 +12,7 @@ permissions:
 jobs:
   get_pr_details:
     permissions:
+    contents: read
       id-token: write
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml

.github/workflows/on_opened_pr.yml

@@ -13,6 +13,7 @@ jobs:
   get_pr_details:
     permissions:
       id-token: write
+      contents: read
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:

.github/workflows/reusable_export_pr_details.yml

@@ -43,6 +43,7 @@ jobs:
   export_pr_details:
     permissions:
       id-token: write
+      contents: read
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-dotnet'
     runs-on: ubuntu-latest