From bacc64e79b07aa68a59a14ad2c0980be9c309140 Mon Sep 17 00:00:00 2001
From: Cameron Showalter <cjshowalter@alaska.edu>
Date: Mon, 16 Dec 2024 11:51:33 -0900
Subject: [PATCH] Refactored action permissions

---
 .github/workflows/main-pipeline-cdk.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/main-pipeline-cdk.yml b/.github/workflows/main-pipeline-cdk.yml
index 97d34d2..65b98e7 100644
--- a/.github/workflows/main-pipeline-cdk.yml
+++ b/.github/workflows/main-pipeline-cdk.yml
@@ -29,6 +29,11 @@ on:
 
 env:
   EXAMPLES_PATH: ./Examples # No trailing slash plz!
+# You can declare this for specific jobs too, but almost all here
+# need this anyways. The one that doesn't, doesn't use external actions..
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   setup-matrix:
@@ -102,9 +107,6 @@ jobs:
     needs:
       - setup-matrix
       - cdk-synth
-    permissions:
-      id-token: write
-      contents: read
     steps:
       ## Moved this check away from the job-level 'if', so it actually fails if you're
       # not on main. Failure is easier to see than a skipped job.
@@ -151,9 +153,6 @@ jobs:
       matrix:
         deploy-config: ${{ fromJson(needs.setup-matrix.outputs.deploy-matrix) }}
     environment: "${{ matrix.deploy-config }}"
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - uses: actions/checkout@v4