From 9c41f60b48a5cd4a588a52e2e0e3d4ef6f015745 Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:25:20 -0500
Subject: [PATCH] chore: move workflow permissions to job level

---
 .github/workflows/__call-ci-node.yml | 8 +++++---
 .github/workflows/__call-codeql.yml  | 5 +++--
 .github/workflows/__call-docker.yml  | 7 +++++--
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/__call-ci-node.yml b/.github/workflows/__call-ci-node.yml
index b1080a6b..6087eaa9 100644
--- a/.github/workflows/__call-ci-node.yml
+++ b/.github/workflows/__call-ci-node.yml
@@ -4,8 +4,7 @@
 # This workflow will run tests using node and then create a draft release on GitHub for push events to master.
 
 name: CI-Node (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   workflow_call:
@@ -40,9 +39,11 @@ jobs:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
   build:
-    runs-on: ubuntu-latest
     needs:
       - setup_release
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -120,6 +121,7 @@ jobs:
     needs:
       - setup_release
       - build
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: Create Release
diff --git a/.github/workflows/__call-codeql.yml b/.github/workflows/__call-codeql.yml
index 14d397b8..085b45f7 100644
--- a/.github/workflows/__call-codeql.yml
+++ b/.github/workflows/__call-codeql.yml
@@ -2,8 +2,7 @@
 # This workflow will analyze all supported languages in the repository using CodeQL Analysis.
 
 name: CodeQL (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -12,6 +11,8 @@ on:
 jobs:
   languages:
     name: Get language matrix
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.lang.outputs.result }}
       continue: ${{ steps.continue.outputs.result }}
diff --git a/.github/workflows/__call-docker.yml b/.github/workflows/__call-docker.yml
index 2f585650..fdc4c51d 100644
--- a/.github/workflows/__call-docker.yml
+++ b/.github/workflows/__call-docker.yml
@@ -14,8 +14,7 @@
 #    `true` to extract artifacts from the `/artifacts` directory to the GitHub runner.
 
 name: Docker (called)
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request:
@@ -61,6 +60,8 @@ on:
 jobs:
   check_dockerfiles:
     name: Check Dockerfiles
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -321,6 +322,8 @@ jobs:
     needs:
       - check_dockerfiles
       - docker
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2