Set top-level permissions

TomHennen · Jan 5, 2025 · 9311dec · 9311dec
1 parent 5063c8f
commit 9311dec
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/.github/workflows/local_build_tools.yml b/.github/workflows/local_build_tools.yml
@@ -14,6 +14,9 @@ on:
       - publish/actions/container/**
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # Make sure we cancel any outstanding workflows that are outdated.
 # This should save time & money.
 concurrency:
@@ -22,8 +25,6 @@ concurrency:
 
 jobs:
   build-and-push:
-    permissions:
-      contents: read
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
       packages: write # for uploading attestations.

diff --git a/.github/workflows/local_check_change.yml b/.github/workflows/local_check_change.yml
@@ -6,12 +6,14 @@ on:
     branches: [ "**" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # Whenever new source is pushed or a PR is received, scan it for any issues
   check-change:
     permissions:
       actions: read
-      contents: read
       packages: read
       issues: read
       pull-requests: read