From 25c523d99ee8ad455ef8ecf697b3d594a815c894 Mon Sep 17 00:00:00 2001
From: Ryan May <rmay31@gmail.com>
Date: Fri, 6 Dec 2024 14:14:05 -0700
Subject: [PATCH] CI: Move permissions from workflow-level to job-level

This is a no-op for most of these since they have a single job, but in
the case of docs this does restrict the contents write permission to
just deployment, and not build.
---
 .github/workflows/assign-milestone.yml | 8 ++++----
 .github/workflows/backport-prs.yml     | 8 ++++----
 .github/workflows/code-analysis.yml    | 6 +++---
 .github/workflows/docs.yml             | 5 ++---
 4 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/assign-milestone.yml b/.github/workflows/assign-milestone.yml
index 4dba85d1af9..3464f57c154 100644
--- a/.github/workflows/assign-milestone.yml
+++ b/.github/workflows/assign-milestone.yml
@@ -6,12 +6,12 @@ on:
     types: [closed]
     branches: [main]
 
-permissions:
-  pull-requests: write
-  issues: write
-
 jobs:
   sync:
+    permissions:
+      pull-requests: write
+      issues: write
+
     name: Assign Latest Milestone
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/backport-prs.yml b/.github/workflows/backport-prs.yml
index 301a87479b8..64bf709a115 100644
--- a/.github/workflows/backport-prs.yml
+++ b/.github/workflows/backport-prs.yml
@@ -1,9 +1,5 @@
 name: Backport PRs
 
-permissions:
-  pull-requests: write
-  contents: write
-
 on:
   pull_request_target:
     types:
@@ -14,6 +10,10 @@ jobs:
   Backport:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged && contains( github.event.pull_request.labels.*.name, 'backport' )
+    permissions:
+      pull-requests: write
+      contents: write
+
     steps:
       - name: Checkout PR HEAD
         uses: actions/checkout@v4
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
index 480d1f89ede..0ab8cf2cb3b 100644
--- a/.github/workflows/code-analysis.yml
+++ b/.github/workflows/code-analysis.yml
@@ -18,13 +18,13 @@ on:
   schedule:
     - cron: '0 8 * * 6'
 
-permissions:
-  contents: read
-  security-events: write
 
 jobs:
   CodeQL:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0508ee9cb15..312992cdf19 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -10,9 +10,6 @@ on:
       - v[0-9]+.[0-9]+.[0-9]+
   pull_request:
 
-permissions:
-  contents: write
-
 concurrency:
   group: ${{ github.workflow}}-${{ github.head_ref }}
   cancel-in-progress: true
@@ -66,6 +63,8 @@ jobs:
     runs-on: ubuntu-latest
     env:
       DOC_VERSION: dev
+    permissions:
+      contents: write
 
     steps:
     - name: Download doc build