[BRE-1333] [key-connector] Update workflow permissions (#243)

gitclonebrian · web-flow · commit 92c7672182e9 · 2025-12-02T10:53:12.000-05:00
* removed permissions from job level
* added permission to app token generation step
* explicitly define empty permission set at workflow level
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -12,14 +12,14 @@ on:
         default: false
         type: boolean
 
+permissions: {}
+
 jobs:
   bump_version:
     name: Bump version
     runs-on: ubuntu-22.04
     permissions:
-      contents: write
       id-token: write
-      pull-requests: write
     outputs:
       version: ${{ steps.set-final-version-output.outputs.version }}
 
@@ -53,6 +53,7 @@ jobs:
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write
 
       - name: Check out repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
