ci: set permissions in parent job.

outofcoffee · outofcoffee · commit bd04a97bdbec · 2025-03-10T17:13:18.000Z
diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
@@ -32,6 +32,9 @@ jobs:
   ci:
     needs: [setup]
     uses: ./.github/workflows/pipeline.yaml
+    permissions:
+      checks: write
+      contents: write
     with:
       effective-branch: ${{ needs.setup.outputs.effective-branch }}
       release: ${{ needs.setup.outputs.release == 'true' }}
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -7,6 +7,8 @@ on:
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5.4.0
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -29,14 +29,20 @@ on:
 jobs:
   validate:
     uses: ./.github/workflows/validate.yaml
+    permissions:
+      checks: write
 
   integ-test:
     uses: ./.github/workflows/integ-test.yaml
+    permissions:
+      checks: write
 
   release:
     needs: [validate, integ-test]
     if: ${{ inputs.release || inputs.effective-branch == 'develop' }}
     uses: ./.github/workflows/release.yaml
+    permissions:
+      contents: write
     with:
       effective-branch: ${{ inputs.effective-branch }}
       release: ${{ inputs.release }}
@@ -47,6 +53,8 @@ jobs:
     needs: [validate, integ-test]
     if: ${{ inputs.release }}
     uses: ./.github/workflows/maven-publish.yaml
+    permissions:
+      contents: write
     secrets: inherit
 
   distroless:
