From 73692df27233c97194776b6eba2ebe40b828e0a5 Mon Sep 17 00:00:00 2001
From: Eddie Knight <knight@linux.com>
Date: Thu, 20 Oct 2022 12:48:05 -0500
Subject: [PATCH] Additional workflow permissions tweaks

Signed-off-by: Eddie Knight <knight@linux.com>
---
 .github/workflows/release-manifests.yml | 6 +++---
 .github/workflows/release.yaml          | 4 +---
 .github/workflows/scan.yaml             | 4 ++--
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release-manifests.yml b/.github/workflows/release-manifests.yml
index 9ccc419a..0d24333d 100644
--- a/.github/workflows/release-manifests.yml
+++ b/.github/workflows/release-manifests.yml
@@ -8,11 +8,11 @@ permissions:
   contents: read
 
 jobs:
-  permissions:
-    id-token: write # needed for keyless signing
-    packages: write # needed for ghcr access
   build-push:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@v3
       - name: Setup Kustomize
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 099a6827..d4696dea 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,9 +5,7 @@ on:
     tags: [ 'v*' ]
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 jobs:
   goreleaser:
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 401af241..f8430a12 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -51,10 +51,10 @@ jobs:
           sarif_file: snyk.sarif
 
   codeql:
-    permissions:
-      security-events: write # for codeQL to write security events
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for codeQL to write security events
     if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout repository