Merge pull request #35 from github/workflow-updates

disable fork deployments and add an explicit `read` permission

.github/workflows/branch-deploy.yml

@@ -10,6 +10,7 @@ permissions:
   deployments: write
   contents: write
   checks: read
+  statuses: read
 
 jobs:
   branch-deploy:
@@ -32,6 +33,7 @@ jobs:
           trigger: ".deploy"
           environment: "production"
           sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md
+          allow_forks: "false"
         
       # Check out the ref from the output of the IssueOps command
       - uses: actions/checkout@v4