mesh-2092 move permissions from workflow level to job level

james-bradley-nhs · james-bradley-nhs · commit 7a8df7cd5776 · 2026-01-06T14:54:54.000Z
diff --git a/.github/workflows/merge-develop.yml b/.github/workflows/merge-develop.yml
@@ -4,14 +4,13 @@ on:
     branches:
       - develop
 
-permissions:
-  contents: write
-  checks: write
-  pull-requests: write
-
 jobs:
   coverage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
     if: github.repository == 'NHSDigital/mesh-sandbox' && !contains(github.event.head_commit.message, 'tag release version:')
     steps:
       - name: checkout
@@ -110,6 +109,10 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
     if: github.repository == 'NHSDigital/mesh-sandbox'  && github.actor != 'dependabot[bot]' && !contains(github.event.head_commit.message, 'tag release version:')
     steps:
       - name: checkout
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -4,14 +4,13 @@ on:
     branches:
       - develop
 
-permissions:
-  contents: write
-  checks: write
-  pull-requests: write
-
 jobs:
   coverage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
     if: github.repository == 'NHSDigital/mesh-sandbox'
     steps:
       - name: checkout
@@ -152,6 +151,10 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
     if: github.repository == 'NHSDigital/mesh-sandbox'
     steps:
       - name: checkout
@@ -231,6 +234,10 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
     if: github.repository == 'NHSDigital/mesh-sandbox' && github.actor != 'dependabot[bot]'
     needs:
       - coverage
