move permissions to job level

adoroszlai · adoroszlai · commit d16bc44dfebd · 2026-04-16T16:04:11.000+02:00
diff --git a/.github/workflows/build-and-tag.yaml b/.github/workflows/build-and-tag.yaml
@@ -24,13 +24,14 @@ on:
     branches:
       - 'ozone-**'
 
-permissions:
-  contents: read
-  packages: write
+permissions: { }
 
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    permissions:
+      contents: read
+      packages: write
 
   tag:
     needs: build
@@ -39,6 +40,9 @@ jobs:
       DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
       IMAGE_ID: ${{ needs.build.outputs.image-id }}
       REGISTRIES: ghcr.io # docker.io is appended dynamically
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Generate tags
         uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -35,16 +35,17 @@ concurrency:
   group: ${{ github.sha }}
   cancel-in-progress: false
 
-permissions:
-  contents: read
-  packages: write
-
 env:
   OZONE_RUNNER_IMAGE: ghcr.io/apache/ozone-runner
 
+permissions: { }
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       image-id: ${{ steps.meta.outputs.tags }}
     steps:
