github: Move permissions to the individual jobs

SonarQube complains about workflow-level "allow" permissions.

diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 4d7c97fba39bf584196fca872397d059ab86e649..bb6d2fa5ff8dfa9ddc0149a7df4284caffcb9afe 100644 (file)
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -32,6 +29,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     env:
       TEST: android
       # since the NDK might be newly installed, we have to use this to avoid cache misses

diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
index 76d74b949279be3daeb6ff31f2ca472ed39aeaa6..eea8a8278bd124a5f04860ee9e513b0e2b585523 100644 (file)
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -2,12 +2,11 @@ name: Cache cleanup
 
 on: delete
 
-permissions:
-  actions: write
-
 jobs:
   cleanup:
     runs-on: ubuntu-slim
+    permissions:
+      actions: write
     steps:
       - env:
           GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 8ed484b011dbac96837ef2bd6fc1802763c74f72..5df1a84c35c858caa00c7fed12ae1475f6036a49 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   # this test case does not actually test anything but tries to access system
   # directories that might be inaccessible on build hosts
@@ -35,6 +32,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+    permissions:
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -160,6 +159,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      actions: write
     strategy:
       fail-fast: false
       matrix:
@@ -260,6 +261,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      actions: write
     strategy:
       matrix:
         os: [ ubuntu-22.04 ]
@@ -342,6 +345,8 @@ jobs:
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
     container: alpine:latest
+    permissions:
+      actions: write
     env:
       TESTS_REDUCED_KEYLENGTHS: yes
       TEST: alpine

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 3a5118452b13d084d75a2d4269ce8bc771b4bb4b..2bb052673ad9646ae8cd6e9c5a8211deabe953ba 100644 (file)
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_BASEDIR: ${{ github.workspace }}
@@ -36,6 +33,8 @@ jobs:
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ${{ matrix.os }}
     timeout-minutes: 20
+    permissions:
+      actions: write
     env:
       TEST: macos
     steps:

diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index f28facbe9100db8e9bdaa914905d69556f24f4fe..988cb092e4fda0d334048eabd35b4c3f79ddf363 100644 (file)
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   CCACHE_BASEDIR: ${{ github.workspace }}
   CCACHE_COMPRESS: true
@@ -31,6 +28,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     env:
       TEST: sonarcloud
     steps:

diff --git a/.github/workflows/tkm.yml b/.github/workflows/tkm.yml
index 44fe35e958ce9f0bfdf7ba6901f7309dfe41639c..902e048972bf6ee8015bb67e74a2e9891170eb27 100644 (file)
--- a/.github/workflows/tkm.yml
+++ b/.github/workflows/tkm.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   CCACHE_DIR: ${{ github.workspace }}/.ccache
   CCACHE_CONTAINER: /root/.ccache
@@ -32,6 +29,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     env:
       TEST: tkm
     steps:

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 039085458a9e07d4d65af58a36cdb8d223f206b4..e3299eb629b5f3cf4a65fb42a3ca950acb15251b 100644 (file)
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -6,9 +6,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  actions: write
-
 env:
   TESTS_REDUCED_KEYLENGTHS: yes
   CCACHE_COMPRESS: true
@@ -34,6 +31,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     strategy:
       matrix:
         test: [ win64, win32 ]
@@ -80,6 +79,8 @@ jobs:
     needs: pre-check
     if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
     runs-on: windows-latest
+    permissions:
+      actions: write
     strategy:
       matrix:
         include: