chore(ci): propagate checkout permission to nested workflows (#2642)

.github/workflows/label_pr_on_title.yml

@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     # Guardrails to only ever run if PR recording workflow was indeed
     # run in a PR event and ran successfully
     if: ${{ github.event.workflow_run.conclusion == 'success' }}

.github/workflows/on_label_added.yml

@@ -32,6 +32,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:

.github/workflows/on_merged_pr.yml

@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:

.github/workflows/on_opened_pr.yml

@@ -33,6 +33,7 @@ jobs:
   get_pr_details:
     permissions:
       actions: read  # download PR artifact
+      contents: read # checkout code
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:

.github/workflows/on_pr_updates.yml

@@ -17,7 +17,7 @@ name: PR requirements
 # due to limitations in GH API.
 
 on:
- pull_request:
+  pull_request:
     types:
       - opened
       - labeled
@@ -26,7 +26,7 @@ on:
 permissions: {}  # no permission required
 
 jobs:
-  fail-for-draft:
+  check-requirements:
     runs-on: ubuntu-latest
     steps:
       - name: Block if it doesn't minimum requirements