From 5e71e8bf886a8438e09498c8a62930554f376a0c Mon Sep 17 00:00:00 2001
From: Mathieu Benoit <mathieu.benoit@docker.com>
Date: Tue, 17 Mar 2026 14:55:25 -0400
Subject: [PATCH] Update Dependabot auto-merge permissions

Signed-off-by: Mathieu Benoit <mathieu.benoit@docker.com>
---
 .github/workflows/dependabot-auto-merge.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
index 3f6a2a1..f5abc37 100644
--- a/.github/workflows/dependabot-auto-merge.yaml
+++ b/.github/workflows/dependabot-auto-merge.yaml
@@ -1,12 +1,14 @@
 name: Dependabot auto-merge
 on: pull_request
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 jobs:
   dependabot-auto-merge:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }}
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Approve a PR
         run: gh pr review --approve "$PR_URL"