From a571520ea16e9671a8ad5eccfb5605bcb14f32d4 Mon Sep 17 00:00:00 2001
From: heitorlessa <lessa@amazon.co.uk>
Date: Tue, 4 Jul 2023 14:06:24 +0200
Subject: [PATCH 1/2] chore: correct job name for pr updates requirements

---
 .github/workflows/on_pr_updates.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/on_pr_updates.yml b/.github/workflows/on_pr_updates.yml
index 003bc0880a8..2663d707399 100644
--- a/.github/workflows/on_pr_updates.yml
+++ b/.github/workflows/on_pr_updates.yml
@@ -17,7 +17,7 @@ name: PR requirements
 # due to limitations in GH API.
 
 on:
- pull_request:
+  pull_request:
     types:
       - opened
       - labeled
@@ -26,7 +26,7 @@ on:
 permissions: {}  # no permission required
 
 jobs:
-  fail-for-draft:
+  check-requirements:
     runs-on: ubuntu-latest
     steps:
       - name: Block if it doesn't minimum requirements

From 1dd976e805c05317b34c726f5de20fb5e0b3f890 Mon Sep 17 00:00:00 2001
From: heitorlessa <lessa@amazon.co.uk>
Date: Tue, 4 Jul 2023 14:09:55 +0200
Subject: [PATCH 2/2] fix(ci): propagate content read to nested workflow

---
 .github/workflows/label_pr_on_title.yml | 1 +
 .github/workflows/on_label_added.yml    | 1 +
 .github/workflows/on_merged_pr.yml      | 1 +
 .github/workflows/on_opened_pr.yml      | 1 +
 4 files changed, 4 insertions(+)

diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
index 48fb24b2476..c69f0f8d7a8 100644
--- a/.github/workflows/label_pr_on_title.yml
+++ b/.github/workflows/label_pr_on_title.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
index d378a5d3e9d..8f7194097e3 100644
--- a/.github/workflows/on_label_added.yml
+++ b/.github/workflows/on_label_added.yml
@@ -32,6 +32,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
index f3896118d10..e435d59951d 100644
--- a/.github/workflows/on_merged_pr.yml
+++ b/.github/workflows/on_merged_pr.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
index 79e77bd9488..1b9cb2f4de2 100644
--- a/.github/workflows/on_opened_pr.yml
+++ b/.github/workflows/on_opened_pr.yml
@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with: