On branch edburns/dd-2855288-add-smoke-test-to-build-and-test Reduce blast radius by tightening permissions.

modified:   .github/workflows/build-test.yml

@Copilot wrote:

> The workflow-level token permissions are set to contents: write, checks: write, and now pull-requests: write for every run, including pull_request events. To reduce blast radius, consider setting the workflow default to read-only and granting write permissions only at the job/step that needs them (the badge PR step needs contents: write + pull-requests: write). This keeps PR runs from having unnecessary write scopes.

This is a good suggestion.

Signed-off-by: Ed Burns <edburns@microsoft.com>

Author: edburns

.github/workflows/build-test.yml

@@ -19,9 +19,7 @@ on:
   merge_group:
 
 permissions:
-  contents: write
-  checks: write
-  pull-requests: write
+  contents: read
 
 jobs:
 
@@ -35,6 +33,10 @@ jobs:
     name: "Java SDK Tests"
     needs: smoke-test
     if: ${{ always() && needs.smoke-test.result != 'failure' }}
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
 
     runs-on: ubuntu-latest
     defaults: