github: Specify permissions on the job level, not the workflow level (#68)

bkeryan · web-flow · commit 6a9c10e78dff · 2025-05-22T15:28:18.000-05:00
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -8,11 +8,6 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  checks: write
-  pull-requests: write
-
 jobs:
   check_nitypes:
     name: Check nitypes
@@ -32,4 +27,8 @@ jobs:
     name: Report test results
     uses: ./.github/workflows/report_test_results.yml
     needs: [run_unit_tests, run_unit_tests_oldest_deps]
-    if: always()
+    if: always()
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
diff --git a/.github/workflows/PR.yml b/.github/workflows/PR.yml
@@ -8,11 +8,6 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  checks: write
-  pull-requests: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -21,3 +16,7 @@ jobs:
   run_ci:
     name: Run CI
     uses: ./.github/workflows/CI.yml
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
diff --git a/.github/workflows/report_test_results.yml b/.github/workflows/report_test_results.yml
@@ -4,15 +4,14 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
-  checks: write
-  pull-requests: write
-
 jobs:
   report_test_results:
     name: Report test results
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -28,4 +27,4 @@ jobs:
         uses: EnricoMi/publish-unit-test-result-action@afb2984f4d89672b2f9d9c13ae23d53779671984 # v2.19.0
         with:
           files: "test_results/**/*.xml"
-        if: always()
+        if: always()
