CI: Move permissions from workflow-level to job-level

This is a no-op for most of these since they have a single job, but in the case of docs this does restrict the contents write permission to just deployment, and not build.
Unidata · Dec 6, 2024 · 25c523d · 25c523d
1 parent 1350863
commit 25c523d
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 14 deletions.
diff --git a/.github/workflows/assign-milestone.yml b/.github/workflows/assign-milestone.yml
@@ -6,12 +6,12 @@ on:
     types: [closed]
     branches: [main]
 
-permissions:
-  pull-requests: write
-  issues: write
-
 jobs:
   sync:
+    permissions:
+      pull-requests: write
+      issues: write
+
     name: Assign Latest Milestone
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml
@@ -1,9 +1,5 @@
 name: Backport PRs
 
-permissions:
-  pull-requests: write
-  contents: write
-
 on:
   pull_request_target:
     types:
@@ -14,6 +10,10 @@ jobs:
   Backport:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged && contains( github.event.pull_request.labels.*.name, 'backport' )
+    permissions:
+      pull-requests: write
+      contents: write
+
     steps:
       - name: Checkout PR HEAD
         uses: actions/checkout@v4

diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
@@ -18,13 +18,13 @@ on:
   schedule:
     - cron: '0 8 * * 6'
 
-permissions:
-  contents: read
-  security-events: write
 
 jobs:
   CodeQL:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
     - name: Checkout repository

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -10,9 +10,6 @@ on:
       - v[0-9]+.[0-9]+.[0-9]+
   pull_request:
 
-permissions:
-  contents: write
-
 concurrency:
   group: ${{ github.workflow}}-${{ github.head_ref }}
   cancel-in-progress: true
@@ -66,6 +63,8 @@ jobs:
     runs-on: ubuntu-latest
     env:
       DOC_VERSION: dev
+    permissions:
+      contents: write
 
     steps:
     - name: Download doc build