From 0a791aa1af9193cb6429a391e3bc76dbf133392c Mon Sep 17 00:00:00 2001
From: "Luke W. Johnston" <lwjohnst@gmail.com>
Date: Fri, 6 Jun 2025 19:46:44 +0200
Subject: [PATCH] ci: :lock: explicitly set permissions, move to job-level

---
 .github/workflows/add-to-project.yml | 6 ++++--
 .github/workflows/build-package.yml  | 7 +++++--
 .github/workflows/sync-files.yml     | 3 +++
 .github/workflows/update-version.yml | 7 +++++--
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 5e50cce..498e1a6 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -11,12 +11,14 @@ on:
       - reopened
       - opened
 
-permissions:
-  pull-requests: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   add-to-project:
     uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    permissions:
+      pull-requests: write
     with:
       board-number: 18
       app-id: ${{ vars.ADD_TO_BOARD_APP_ID }}
diff --git a/.github/workflows/build-package.yml b/.github/workflows/build-package.yml
index 5100c0a..fb8f25b 100644
--- a/.github/workflows/build-package.yml
+++ b/.github/workflows/build-package.yml
@@ -21,9 +21,12 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   build:
     uses: seedcase-project/.github/.github/workflows/reusable-build-python.yml@main
+    # Permissions needed for pushing to the coverage branch.
+    permissions:
+      contents: write
diff --git a/.github/workflows/sync-files.yml b/.github/workflows/sync-files.yml
index 8ffac82..04d93ca 100644
--- a/.github/workflows/sync-files.yml
+++ b/.github/workflows/sync-files.yml
@@ -5,6 +5,9 @@ on:
       - main
   workflow_dispatch:
 
+# Limit token permissions for security
+permissions: read-all
+
 jobs:
   sync:
     uses: seedcase-project/.github/.github/workflows/reusable-sync-files.yml@main
diff --git a/.github/workflows/update-version.yml b/.github/workflows/update-version.yml
index 2196433..03aa554 100644
--- a/.github/workflows/update-version.yml
+++ b/.github/workflows/update-version.yml
@@ -5,11 +5,14 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   update-version:
+    # Only give permissions for this job.
+    permissions:
+      contents: write
     uses: seedcase-project/.github/.github/workflows/reusable-update-python-project-version.yml@main
     with:
       app-id: ${{ vars.UPDATE_VERSION_APP_ID }}