Merge pull request #94 from bcgov/feat/addPermission

feat: add permission to workflow jobs

generators/gh-maven-build/templates/build-release.yaml

@@ -22,6 +22,7 @@ env:
 jobs:
   check_token_expiration:
     uses: ./.github/workflows/check-token.yaml
+    permissions: {}
     secrets:
       token: ${{ secrets.<%= brokerJwt %> }}
 <% if (unitTestsPath) { -%>

generators/gh-maven-build/templates/check-token.yaml

@@ -11,6 +11,7 @@ on:
       token:
         description: "The Broker token"
         required: true
+permissions: {}
 
 jobs:
   check-jwt:

generators/gh-maven-build/templates/deploy.yaml

@@ -26,13 +26,17 @@ env:
 jobs:
   check_token_expiration:
     uses: ./.github/workflows/check-token.yaml
+    permissions: {}
     secrets:
       token: ${{ secrets.<%= brokerJwt %> }}
   deploy-build:
     name: Deploy development version
     if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
     needs: check_token_expiration
+    permissions:
+      contents: read
+      packages: read
     outputs:
       project_version: ${{ steps.set-build-output.outputs.project_version }}
       build_guid: ${{ steps.set-build-output.outputs.build_guid }}
@@ -117,6 +121,9 @@ jobs:
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
     needs: check_token_expiration
+    permissions:
+      contents: read
+      packages: read
     outputs:
       project_version: ${{ steps.set-tag-output.outputs.project_version }}
       build_guid: ${{ steps.set-tag-output.outputs.build_guid }}
@@ -187,6 +194,10 @@ jobs:
       ((needs.deploy-build.result == 'success' && needs.deploy-tag.result == 'skipped') ||
       (needs.deploy-build.result == 'skipped' && needs.deploy-tag.result == 'success'))
     needs: [deploy-build, deploy-tag]
+    permissions:
+      actions: read
+      packages: read
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Submit a job to Jenkins