From f963373db52c9c5d19558f12f700e036c8c52a7f Mon Sep 17 00:00:00 2001
From: Cody Balos <balos1@llnl.gov>
Date: Fri, 17 Jan 2025 16:25:05 -0800
Subject: [PATCH] CI: Fix /autofix command (#646)

Currently, our `/autofix` command does not work because the jobs don't
have the 'write' permission. This will fix it, but not until the change
ends up in `main`.

This permission can be set globally too, but this is more secure.
---
 .github/workflows/check-format.yml   | 2 ++
 .github/workflows/check-spelling.yml | 2 ++
 .github/workflows/check-swig.yml     | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
index f96e3cdaf7..34085430c5 100644
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -82,6 +82,8 @@ jobs:
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, '/autofix')) }}
     needs: format_check
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout the GitHub created reference for the PR.
       # The only way to do this is by using the "issue" number
diff --git a/.github/workflows/check-spelling.yml b/.github/workflows/check-spelling.yml
index 70da910142..9ad9c6af67 100644
--- a/.github/workflows/check-spelling.yml
+++ b/.github/workflows/check-spelling.yml
@@ -62,6 +62,8 @@ jobs:
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, '/autofix')) }}
     needs: spelling_check
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout the GitHub created reference for the PR.
       # The only way to do this is by using the "issue" number
diff --git a/.github/workflows/check-swig.yml b/.github/workflows/check-swig.yml
index ba7b97aaf4..3948a1ccfc 100644
--- a/.github/workflows/check-swig.yml
+++ b/.github/workflows/check-swig.yml
@@ -70,6 +70,8 @@ jobs:
     if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && (github.event_name == 'issue_comment' && startsWith(github.event.comment.body, '/autofix')) }}
     needs: swig_check
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       # Checkout the GitHub created reference for the PR.
       # The only way to do this is by using the "issue" number