microsoft
diff --git a/‎.github/workflows/binary-build.yml
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/binary-build.yml
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/build-dev.yml
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/build-dev.yml
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/build-main.yml
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/build-main.yml
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/build-preview.yml
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/build-preview.yml
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/build.yml
Lines changed: 64 additions & 11 deletions b/‎.github/workflows/build.yml
Lines changed: 64 additions & 11 deletions
diff --git a/‎.github/workflows/docs-build.yml
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/docs-build.yml
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/fork-release-branch.yml
Lines changed: 1 addition & 3 deletions b/‎.github/workflows/fork-release-branch.yml
Lines changed: 1 addition & 3 deletions
diff --git a/‎.github/workflows/imagecreator-tests-functional.yml
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/imagecreator-tests-functional.yml
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/open-bump-version-pr.yml
Lines changed: 1 addition & 5 deletions b/‎.github/workflows/open-bump-version-pr.yml
Lines changed: 1 addition & 5 deletions
diff --git a/‎.github/workflows/publish-container.yml
Lines changed: 1 addition & 5 deletions b/‎.github/workflows/publish-container.yml
Lines changed: 1 addition & 5 deletions
@@ -3,8 +3,7 @@
 
 name: Build binary and container for single arch
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
 
@@ -3,10 +3,7 @@
 
 name: Build (dev)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   pull_request:
@@ -34,3 +31,7 @@ jobs:
       publishType: dev
       runFunctionalTests: ${{ inputs.runFunctionalTests || false }}
       runVMTests: ${{ inputs.runVMTests || false }}
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
@@ -3,10 +3,7 @@
 
 name: Build (main)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   push:
@@ -16,6 +13,10 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       publishType: main
       runFunctionalTests: true
 
@@ -3,10 +3,7 @@
 
 name: Build (preview)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   push:
@@ -16,6 +13,10 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       publishType: preview
       runFunctionalTests: true
 
@@ -3,10 +3,7 @@
 
 name: Build binary, container, and docs
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   workflow_call:
@@ -31,16 +28,22 @@ jobs:
     with:
       publishType: ${{ inputs.publishType }}
       arch: amd64
+    permissions:
+      contents: read
 
   binary-build-arm64:
     name: Build ARM64
     uses: ./.github/workflows/binary-build.yml
     with:
       publishType: ${{ inputs.publishType }}
       arch: arm64
+    permissions:
+      contents: read
 
   build-docs:
     uses: ./.github/workflows/docs-build.yml
+    permissions:
+      contents: read
 
   tests-functional-azl3-amd64:
     name: Functional tests AZL3 AMD64
@@ -49,14 +52,22 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: azl3
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-functional-azl3-arm64:
-   name: Functional tests AZL3 ARM64
-   if: ${{ inputs.runFunctionalTests }}
-   uses: ./.github/workflows/tests-functional.yml
-   with:
-     hostArch: arm64
-     hostDistro: azl3
+    name: Functional tests AZL3 ARM64
+    if: ${{ inputs.runFunctionalTests }}
+    uses: ./.github/workflows/tests-functional.yml
+    with:
+      hostArch: arm64
+      hostDistro: azl3
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-functional-ubuntu2404-amd64:
     name: Functional tests Ubuntu24.04 AMD64
@@ -65,6 +76,10 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-functional-ubuntu2404-arm64:
     name: Functional tests Ubuntu24.04 ARM64
@@ -73,6 +88,10 @@ jobs:
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   imagecreator-tests-functional-azl3-amd64:
     name: Functional tests AZL3 AMD64
@@ -81,6 +100,8 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: azl3
+    permissions:
+      contents: read
 
   imagecreator-tests-functional-ubuntu2404-amd64:
     name: Functional tests Ubuntu24.04 AMD64
@@ -89,6 +110,8 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
 
   tests-vmtests-azl3-amd64:
     name: VMTests suite AZL3 AMD64
@@ -98,6 +121,10 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: azl3
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-vmtests-ubuntu2404-amd64:
     name: VMTests suite Ubuntu24.04 AMD64
@@ -107,6 +134,10 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-vmtests-ubuntu2404-arm64:
     name: VMTests suite Ubuntu24.04 ARM64
@@ -116,6 +147,10 @@ jobs:
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-vmtests-imagecreator-azl3-amd64:
     name: VMTests suite image creator AZL3 AMD64
@@ -125,6 +160,8 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: azl3
+    permissions:
+      contents: read
 
   tests-vmtests-imagecreator-ubuntu2404-amd64:
     name: VMTests suite image creator Ubuntu24.04 AMD64
@@ -133,7 +170,9 @@ jobs:
     uses: ./.github/workflows/tests-vmtests-imagecreator.yml
     with:
       hostArch: amd64
-      hostDistro: ubuntu2404    
+      hostDistro: ubuntu2404
+    permissions:
+      contents: read
 
   tests-vmtests-imagecreator-ubuntu2404-arm64:
     name: VMTests suite image creator Ubuntu24.04 ARM64
@@ -143,6 +182,8 @@ jobs:
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
 
   tests-vmtests-osmodifier-azl3-amd64:
     name: VMTests suite osmodifier AZL3 AMD64
@@ -152,6 +193,10 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: azl3
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-vmtests-osmodifier-ubuntu2404-amd64:
     name: VMTests suite osmodifier Ubuntu24.04 AMD64
@@ -161,6 +206,10 @@ jobs:
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
 
   tests-vmtests-osmodifier-ubuntu2404-arm64:
     name: VMTests suite osmodifier Ubuntu24.04 ARM64
@@ -170,3 +219,7 @@ jobs:
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
@@ -1,7 +1,6 @@
 name: Build docs
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call: {}
 
@@ -3,9 +3,7 @@
 
 name: Fork release branch
 
-permissions:
-  # Create release branch.
-  contents: write
+permissions: {}
 
 on:
   workflow_call: {}
 
@@ -3,8 +3,7 @@
 
 name: Tests Image Creator functional
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
 
@@ -3,11 +3,7 @@
 
 name: Open bump version PR
 
-permissions:
-  # Create release branch and publish release.
-  contents: write
-  # Publish PR.
-  #pull-requests: write
+permissions: {}
 
 on:
   workflow_call: {}
 
@@ -1,10 +1,6 @@
 name: Publish container to GHCR
 
-permissions:
-  # "Keyless" container signing
-  id-token: write
-  # Publish to GHCR.
-  packages: write
+permissions: {}
 
 on:
   workflow_call: {}