Refactor permissions in publish.yml (#49)

alexasselin008 · web-flow · commit 3b16f70e94d9 · 2025-10-22T16:45:25.000-04:00
Moved permissions to the workflow level for clarity.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,16 +7,17 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+    id-token: write # OIDC for npm Trusted Publishing
+    contents: write
+    pull-requests: write
+
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     outputs:
       published: ${{ steps.changesets.outputs.published }}
-    permissions:
-      id-token: write # required for provenance https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
-      contents: write
-      pull-requests: write
     steps:
       - uses: actions/checkout@v4
 
@@ -37,4 +38,4 @@ jobs:
     uses: workleap/wl-reusable-workflows/.github/workflows/linearb-deployment.yml@main
     with:
       environment: 'release'
-    secrets: inherit
+    secrets: inherit
