Move permissions to job-level rather than workflow level

total nit: move permissions down to job-level. This is a best practice for security. Here it doesn't matter, but it sets a good precedent if anyone copies this to use in writing a new workflow.
dependabot · May 16, 2023 · 4c7a5b5 · 4c7a5b5
1 parent b3bc799
commit 4c7a5b5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,11 +1,14 @@
 name: Dependabot auto-merge
 on: pull_request_target
-permissions:
-  pull-requests: write
-  contents: write
+
 jobs:
   dependabot:
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+      contents: write
+
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Check out code

diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml
@@ -3,12 +3,14 @@ name: Compile dependabot updates
 on:
   pull_request:
 
-permissions:
-  pull-requests: write
-  contents: write
 jobs:
   fetch-dependabot-metadata:
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+      contents: write
+
     # We only want to check the metadata on pull_request events from Dependabot itself,
     # any subsequent pushes to the PR should just skip this step so we don't go into
     # a loop on commits created by the `build-dependabot-changes` job