Reduce permissions in workflows

QuLogic · QuLogic · commit 5b9f4bcd8aa8 · 2024-12-07T01:40:35.000-05:00
Moved the permissions to the jobs that need them, though this is
probably not a big change for the reviewdog workflow. Also drop the
`pull-request` permission from the reviewdog workflow, as it's not in
the mypy-stubtest one, and still seems to work.
diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml
@@ -9,12 +9,11 @@ on:
   pull_request_target:
     types: [synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   main:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Check if PRs have merge conflicts
         uses: eps1lon/actions-label-merge-conflict@1b1b1fcde06a9b3d089f3464c96417961dde1168  # v3.0.2
diff --git a/.github/workflows/mypy-stubtest.yml b/.github/workflows/mypy-stubtest.yml
@@ -4,12 +4,13 @@ on: [pull_request]
 
 permissions:
   contents: read
-  checks: write
 
 jobs:
   mypy-stubtest:
     name: mypy-stubtest
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml
@@ -3,13 +3,11 @@ name: PR Greetings
 
 on: [pull_request_target]
 
-permissions:
-  pull-requests: write
-
 jobs:
   greeting:
     runs-on: ubuntu-latest
-
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/first-interaction@v1
         with:
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -4,13 +4,13 @@ on: [pull_request]
 
 permissions:
   contents: read
-  checks: write
-  pull-requests: write
 
 jobs:
   flake8:
     name: flake8
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -38,6 +38,8 @@ jobs:
   mypy:
     name: mypy
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -67,6 +69,8 @@ jobs:
   eslint:
     name: eslint
     runs-on: ubuntu-latest
+    permissions:
+      checks: write
     steps:
       - uses: actions/checkout@v4
         with:
