Merge pull request #3232 from eddie-knight/fix/workflow-permissions

Additional workflow permissions tweaks

.github/workflows/release-manifests.yml

@@ -8,11 +8,11 @@ permissions:
   contents: read
 
 jobs:
-  permissions:
-    id-token: write # needed for keyless signing
-    packages: write # needed for ghcr access
   build-push:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@v3
       - name: Setup Kustomize

.github/workflows/release.yaml

@@ -5,9 +5,7 @@ on:
     tags: [ 'v*' ]
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 jobs:
   goreleaser:

.github/workflows/scan.yaml

@@ -51,10 +51,10 @@ jobs:
           sarif_file: snyk.sarif
 
   codeql:
-    permissions:
-      security-events: write # for codeQL to write security events
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for codeQL to write security events
     if: github.actor != 'dependabot[bot]'
     steps:
       - name: Checkout repository