From 495d6eab30fcde1b995c492a4d6bf4e698c299b1 Mon Sep 17 00:00:00 2001
From: Peter Oschwald <oschwaldp@objectcomputing.com>
Date: Wed, 12 Jul 2023 15:20:36 -0500
Subject: [PATCH] Try to rework permissions to leave top level read, but pass
 write to build-base.

---
 .github/workflows/build.yaml                     | 5 ++++-
 .github/workflows/ph_backward_compatibility.yaml | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 593dce030a..0ad6bbd794 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -23,7 +23,7 @@ on:
         type: string
 
 permissions:
-  packages: write
+  packages: read
   contents: read
 
 defaults:
@@ -33,6 +33,9 @@ defaults:
 jobs:
   build-base:
     uses: .github/workflows/build_base.yaml
+    permissions:
+      packages: write
+      contents: read
 
   v:
     name: Discover Versions
diff --git a/.github/workflows/ph_backward_compatibility.yaml b/.github/workflows/ph_backward_compatibility.yaml
index d9045f4013..b3bf8efc5b 100644
--- a/.github/workflows/ph_backward_compatibility.yaml
+++ b/.github/workflows/ph_backward_compatibility.yaml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
 
 permissions:
-  packages: write
+  packages: read
   contents: read
 
 defaults:
@@ -14,6 +14,9 @@ defaults:
 jobs:
   build-base:
     uses: .github/workflows/build_base.yaml
+    permissions:
+      packages: read
+      contents: read
 
   tests:
     name: Tests