workflow permissions updates

GrantBirki · GrantBirki · commit 97bd81c156ec · 2024-03-18T09:59:44.000-06:00
diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml
@@ -6,12 +6,13 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   # Detects changes to any of the source files for entitlements-app
   changes:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     outputs:
       has_change: ${{ steps.diff.outputs.has_change}}
@@ -57,8 +58,6 @@ jobs:
     strategy:
       matrix:
         ruby: [ '2.7.5', '3.1.2', '3.2.2', '3.3.0' ]
-    permissions:
-      contents: read
 
     steps:
       - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # pin@v1.152.0
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,14 +9,15 @@ on:
   schedule:
     - cron: '25 4 * * 5'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,15 +6,16 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     name: runner / rubocop
     runs-on: ubuntu-latest
     strategy:
       matrix:
         ruby: [ '2.7.5', '3.1.2', '3.2.2', '3.3.0' ]
-    permissions:
-      contents: read
 
     steps:
       - name: checkout
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,15 +6,16 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   rubocop:
     name: runner / rspec
     runs-on: ubuntu-latest
     strategy:
       matrix:
         ruby: [ '2.7.5', '3.1.2', '3.2.2', '3.3.0' ]
-    permissions:
-      contents: read
 
     steps:
       - name: checkout
