ci: scope per-job permissions on the remaining workflows

emptyhammond · emptyhammond · commit 194a4b5ca8b3 · 2026-05-22T17:39:18.000+01:00
Add explicit per-job `permissions:` blocks to the 4 workflows that
were still relying on the repository default token permissions:
`check.yml`, `emulate.yml`, `example-app.yml`, `features.yml`.

- `check.yml`, `emulate.yml`, `example-app.yml` each have a single
  job that only needs to read source and run Gradle. They get
  `permissions: contents: read`.

- `features.yml` invokes a reusable workflow at
  `ably/features/.github/workflows/sdk-features.yml`. Permissions for
  a reusable workflow are inherited from the calling job — the called
  workflow's own `permissions:` block cannot upgrade scopes the
  caller has not granted. The called workflow at the pinned SHA runs
  `actions/checkout`, then `aws-actions/configure-aws-credentials`
  (AWS OIDC), then `ably/sdk-upload-action` (creates a GitHub
  deployment). It therefore needs:

      permissions:
        contents: read
        id-token: write
        deployments: write

  These match the inline equivalent in `javadoc.yml`, which does the
  same upload work directly; `contents: read` is added here as an
  explicit tightening rather than relying on the public-repo default.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
diff --git a/.github/workflows/emulate.yml b/.github/workflows/emulate.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/example-app.yml b/.github/workflows/example-app.yml
@@ -9,6 +9,8 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml
@@ -8,6 +8,10 @@ on:
 
 jobs:
   build:
+    permissions:
+      contents: read
+      id-token: write
+      deployments: write
     uses: ably/features/.github/workflows/sdk-features.yml@6b3fc7a8ede2ebdd7a6325314f3a96c6466f1453 # main
     with:
       repository-name: ably-java
