From 85494c2fbb2b7cc03f852b289d7fed395e3e8393 Mon Sep 17 00:00:00 2001
From: Gladwin Johnson <90415114+gladjohn@users.noreply.github.com>
Date: Wed, 19 Jul 2023 15:14:37 -0700
Subject: [PATCH] Update auto_assign_reviewer.yml to fix security issue

---
 .github/workflows/auto_assign_reviewer.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto_assign_reviewer.yml b/.github/workflows/auto_assign_reviewer.yml
index b0789b3877..b0f1ac6ca5 100644
--- a/.github/workflows/auto_assign_reviewer.yml
+++ b/.github/workflows/auto_assign_reviewer.yml
@@ -3,8 +3,19 @@ on:
   pull_request_target:
     types: [opened, ready_for_review]
 
+permissions:
+  contents: read
+
 jobs:
   add-reviews:
+    permissions:
+      contents: read  # for kentaro-m/auto-assign-action to fetch config file
+      pull-requests: write  # for kentaro-m/auto-assign-action to assign PR reviewers
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/auto-assign-action@v1.2.2
+      - name: Harden Runner
+        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        with:
+          egress-policy: audit
+
+      - uses: kentaro-m/auto-assign-action@6b1ff132d1a90349f611f44a589088d13a8beb75 # v1.2.2