From 588511a314face6d41ce2f775c32af9190c6c2b8 Mon Sep 17 00:00:00 2001
From: Claudio W <cwunder@gnome.org>
Date: Sat, 25 Nov 2023 14:30:30 +0100
Subject: [PATCH] chore: harden security settings

Signed-off-by: Claudio W <cwunder@gnome.org>
---
 .github/workflows/translations-pr.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/translations-pr.yml b/.github/workflows/translations-pr.yml
index aa52b101f4e00..0853f551737fb 100644
--- a/.github/workflows/translations-pr.yml
+++ b/.github/workflows/translations-pr.yml
@@ -16,11 +16,7 @@ on:
       - '!i18n/locales/en.json'
 
 permissions:
-  # This permission is required by `stefanzweifel/git-auto-commit-action`
-  contents: write
   actions: read
-  # This permission is required by `thollander/actions-comment-pull-request`
-  pull-requests: write
 
 jobs:
   comment_on_translation_pr:
@@ -32,6 +28,10 @@ jobs:
     name: Comment on Translation PR
     runs-on: ubuntu-latest
 
+    permissions:
+      # This permission is required by `thollander/actions-comment-pull-request`
+      pull-requests: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -59,6 +59,10 @@ jobs:
     name: Format Crowdin Pull Request
     runs-on: ubuntu-latest
 
+    permissions:
+      # This permission is required by `stefanzweifel/git-auto-commit-action`
+      contents: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1