Revert "Limit workflow job permissions to bare minimum (spiffe#3706)"

This reverts commit 9d0b194.

Signed-off-by: Ryan Turner <[email protected]>

Author: Ryan Turner

.github/workflows/depsreview.yaml

@@ -1,13 +1,12 @@
 name: 'Dependency Review'
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v3

.github/workflows/nightly_build.yaml

@@ -4,6 +4,9 @@ on:
     # Random minute number to avoid GH scheduler stampede
     - cron: '37 21 * * *'
   workflow_dispatch: {}
+permissions:
+  contents: read
+  packages: write
 
 env:
   NIGHTLY: true
@@ -12,11 +15,6 @@ jobs:
   build-and-publish-images:
     runs-on: ubuntu-20.04
 
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
     env:
       COSIGN_EXPERIMENTAL: 1
 

.github/workflows/pr_build.yaml

@@ -11,10 +11,6 @@ jobs:
   cache-deps:
     name: cache-deps (linux)
     runs-on: ubuntu-20.04
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -34,10 +30,6 @@ jobs:
     name: lint (linux)
     runs-on: ubuntu-20.04
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -72,10 +64,6 @@ jobs:
         OS: [ubuntu-20.04, macos-latest]
     runs-on: ${{ matrix.OS }}
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -95,10 +83,6 @@ jobs:
     name: unit-test (linux with race detection)
     runs-on: ubuntu-20.04
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -118,10 +102,6 @@ jobs:
     name: artifacts (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -153,10 +133,6 @@ jobs:
     name: images (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -194,10 +170,6 @@ jobs:
     name: images (windows)
     runs-on: windows-2022
     needs: artifact-windows
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -221,10 +193,6 @@ jobs:
   scratch-images:
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -262,10 +230,6 @@ jobs:
     name: integration (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps, images, scratch-images]
-
-    permissions:
-      contents: read
-
     strategy:
       fail-fast: false
       matrix:
@@ -328,10 +292,6 @@ jobs:
     name: integration (windows)
     runs-on: windows-2022
     needs: images-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -379,10 +339,6 @@ jobs:
   cache-deps-windows:
     name: cache-deps (windows)
     runs-on: windows-2022
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -402,10 +358,6 @@ jobs:
     name: lint (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -449,10 +401,6 @@ jobs:
     name: unit-test (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -485,10 +433,6 @@ jobs:
     name: artifact (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}

.github/workflows/release_build.yaml

@@ -9,10 +9,6 @@ jobs:
   cache-deps:
     name: cache-deps (linux)
     runs-on: ubuntu-20.04
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -32,10 +28,6 @@ jobs:
     name: lint (linux)
     runs-on: ubuntu-20.04
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -70,10 +62,6 @@ jobs:
         OS: [ubuntu-20.04, macos-latest]
     runs-on: ${{ matrix.OS }}
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -93,10 +81,6 @@ jobs:
     name: unit-test (linux with race detection)
     runs-on: ubuntu-20.04
     needs: cache-deps
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -116,10 +100,6 @@ jobs:
     name: artifacts (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -151,10 +131,6 @@ jobs:
     name: images (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -188,10 +164,6 @@ jobs:
     name: images (windows)
     runs-on: windows-2022
     needs: artifact-windows
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -215,10 +187,6 @@ jobs:
   scratch-images:
     runs-on: ubuntu-20.04
     needs: [cache-deps]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -252,10 +220,6 @@ jobs:
     name: integration (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps, images, scratch-images]
-
-    permissions:
-      contents: read
-
     strategy:
       fail-fast: false
       matrix:
@@ -329,10 +293,6 @@ jobs:
     name: integration (windows)
     runs-on: windows-2022
     needs: images-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -380,10 +340,6 @@ jobs:
   cache-deps-windows:
     name: cache-deps (windows)
     runs-on: windows-2022
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -403,10 +359,6 @@ jobs:
     name: lint (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -450,10 +402,6 @@ jobs:
     name: unit-test (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -486,10 +434,6 @@ jobs:
     name: artifact (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
-
-    permissions:
-      contents: read
-
     defaults:
       run:
         shell: msys2 {0}
@@ -540,10 +484,6 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [lint, unit-test, unit-test-race-detector, artifacts, integration,
             lint-windows, unit-test-windows, artifact-windows, integration-windows]
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -568,11 +508,6 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [lint, unit-test, unit-test-race-detector, artifacts, integration]
 
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
     env:
       COSIGN_EXPERIMENTAL: 1