Fix workflow permissions

cwize1 · cwize1 · commit 1becf85280be · 2025-08-11T12:49:28.000-07:00
diff --git a/.github/workflows/binary-build.yml b/.github/workflows/binary-build.yml
@@ -3,8 +3,7 @@
 
 name: Build binary and container for single arch
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml
@@ -3,10 +3,7 @@
 
 name: Build (dev)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   pull_request:
@@ -30,6 +27,10 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       publishType: dev
       runFunctionalTests: ${{ inputs.runFunctionalTests || false }}
diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml
@@ -3,10 +3,7 @@
 
 name: Build (main)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   push:
@@ -16,6 +13,10 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       publishType: main
       runFunctionalTests: true
diff --git a/.github/workflows/build-preview.yml b/.github/workflows/build-preview.yml
@@ -3,10 +3,7 @@
 
 name: Build (preview)
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   push:
@@ -16,6 +13,10 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       publishType: preview
       runFunctionalTests: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,10 +3,7 @@
 
 name: Build binary, container, and docs
 
-permissions:
-  contents: read
-  # Azure login.
-  id-token: write
+permissions: {}
 
 on:
   workflow_call:
@@ -28,13 +25,17 @@ jobs:
   binary-build-amd64:
     name: Build AMD64
     uses: ./.github/workflows/binary-build.yml
+    permissions:
+      contents: read
     with:
       publishType: ${{ inputs.publishType }}
       arch: amd64
 
   binary-build-arm64:
     name: Build ARM64
     uses: ./.github/workflows/binary-build.yml
+    permissions:
+      contents: read
     with:
       publishType: ${{ inputs.publishType }}
       arch: arm64
@@ -46,6 +47,10 @@ jobs:
     name: Functional tests AZL3 AMD64
     if: ${{ inputs.runFunctionalTests }}
     uses: ./.github/workflows/tests-functional.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       hostArch: amd64
       hostDistro: azl3
@@ -54,6 +59,10 @@ jobs:
    name: Functional tests AZL3 ARM64
    if: ${{ inputs.runFunctionalTests }}
    uses: ./.github/workflows/tests-functional.yml
+  permissions:
+    contents: read
+    # Azure login.
+    id-token: write
    with:
      hostArch: arm64
      hostDistro: azl3
@@ -62,6 +71,10 @@ jobs:
     name: Functional tests Ubuntu24.04 AMD64
     if: ${{ inputs.runFunctionalTests }}
     uses: ./.github/workflows/tests-functional.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
@@ -70,6 +83,10 @@ jobs:
     name: Functional tests Ubuntu24.04 ARM64
     if: ${{ inputs.runFunctionalTests }}
     uses: ./.github/workflows/tests-functional.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
@@ -95,6 +112,10 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-amd64
     uses: ./.github/workflows/tests-vmtests.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       hostArch: amd64
       hostDistro: azl3
@@ -104,6 +125,10 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-amd64
     uses: ./.github/workflows/tests-vmtests.yml
+    permissions:
+      contents: read
+      # Azure login.
+      id-token: write
     with:
       hostArch: amd64
       hostDistro: ubuntu2404
@@ -113,6 +138,8 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-arm64
     uses: ./.github/workflows/tests-vmtests.yml
+    permissions:
+      contents: read
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
@@ -122,6 +149,8 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-amd64
     uses: ./.github/workflows/tests-vmtests-imagecreator.yml
+    permissions:
+      contents: read
     with:
       hostArch: amd64
       hostDistro: azl3
@@ -131,6 +160,8 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-amd64
     uses: ./.github/workflows/tests-vmtests-imagecreator.yml
+    permissions:
+      contents: read
     with:
       hostArch: amd64
       hostDistro: ubuntu2404    
@@ -140,6 +171,8 @@ jobs:
     if: ${{ inputs.runVMTests }}
     needs: binary-build-arm64
     uses: ./.github/workflows/tests-vmtests-imagecreator.yml
+    permissions:
+      contents: read
     with:
       hostArch: arm64
       hostDistro: ubuntu2404
diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml
@@ -1,7 +1,6 @@
 name: Build docs
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call: {}
diff --git a/.github/workflows/fork-release-branch.yml b/.github/workflows/fork-release-branch.yml
@@ -3,9 +3,7 @@
 
 name: Fork release branch
 
-permissions:
-  # Create release branch.
-  contents: write
+permissions: {}
 
 on:
   workflow_call: {}
diff --git a/.github/workflows/imagecreator-tests-functional.yml b/.github/workflows/imagecreator-tests-functional.yml
@@ -3,8 +3,7 @@
 
 name: Tests Image Creator functional
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
diff --git a/.github/workflows/open-bump-version-pr.yml b/.github/workflows/open-bump-version-pr.yml
@@ -3,11 +3,7 @@
 
 name: Open bump version PR
 
-permissions:
-  # Create release branch and publish release.
-  contents: write
-  # Publish PR.
-  #pull-requests: write
+permissions: {}
 
 on:
   workflow_call: {}
diff --git a/.github/workflows/publish-container.yml b/.github/workflows/publish-container.yml
@@ -1,10 +1,6 @@
 name: Publish container to GHCR
 
-permissions:
-  # "Keyless" container signing
-  id-token: write
-  # Publish to GHCR.
-  packages: write
+permissions: {}
 
 on:
   workflow_call: {}
diff --git a/.github/workflows/publish-github-pages.yml b/.github/workflows/publish-github-pages.yml
@@ -9,6 +9,7 @@ jobs:
   deploy:
     name: Publish GitHub pages
     permissions:
+      # GitHub pages publish.
       pages: write
       id-token: write
     environment:
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -3,9 +3,7 @@
 
 name: Publish release
 
-permissions:
-  # Create release tag and publish release.
-  contents: write
+permissions: {}
 
 on:
   workflow_call:
diff --git a/.github/workflows/release-minor-version.yml b/.github/workflows/release-minor-version.yml
@@ -3,17 +3,7 @@
 
 name: Release (major/minor)
 
-permissions:
-  # Push release branch and publish release.
-  contents: write
-  # Publish to GHCR.
-  packages: write
-  # "Keyless" container signing, Azure login, GitHub pages publish.
-  id-token: write
-  # Publish PR.
-  #pull-requests: write
-  # GitHub pages publish.
-  pages: write
+permissions: {}
 
 on:
   # Allow pipeline to be run manually.
@@ -22,34 +12,58 @@ on:
 jobs:
   build:
     uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      # Azure login
+      id-token: write
     with:
       publishType: official
       runFunctionalTests: true
       runVMTests: true
 
   publish-container:
     uses: ./.github/workflows/publish-container.yml
+    permissions:
+      # "Keyless" container signing
+      id-token: write
+      # Publish to GHCR.
+      packages: write
     needs:
     - build
 
   publish-release:
     uses: ./.github/workflows/publish-release.yml
+    permissions:
+      # Create release tag and publish release.
+      contents: write
     with:
       isLatestRelease: true
     needs:
     - build
 
   fork-release-branch:
     uses: ./.github/workflows/fork-release-branch.yml
+    permissions:
+      # Create release branch.
+      contents: write
     needs:
     - build
 
   open-bump-version-pr:
     uses: ./.github/workflows/open-bump-version-pr.yml
+    permissions:
+      # Create release branch and publish release.
+      contents: write
+      # Publish PR.
+      #pull-requests: write
     needs:
     - build
 
   publish-github-pages:
     uses: ./.github/workflows/publish-github-pages.yml
+    permissions:
+      # GitHub pages publish.
+      pages: write
+      id-token: write
     needs:
     - build
diff --git a/.github/workflows/release-patch-version.yml b/.github/workflows/release-patch-version.yml
diff --git a/.github/workflows/release-preview-version.yml b/.github/workflows/release-preview-version.yml
diff --git a/.github/workflows/tests-functional.yml b/.github/workflows/tests-functional.yml
diff --git a/.github/workflows/tests-vmtests-imagecreator.yml b/.github/workflows/tests-vmtests-imagecreator.yml
diff --git a/.github/workflows/tests-vmtests.yml b/.github/workflows/tests-vmtests.yml
