From 340802720dba2f42a73868ef47c1aac6ddd9c82b Mon Sep 17 00:00:00 2001
From: gitclonebrian <235774926+gitclonebrian@users.noreply.github.com>
Date: Tue, 25 Nov 2025 21:54:48 -0500
Subject: [PATCH] [update-versions.yml] Implement least privilege permissions

- Add empty permission set at workflow level
- Remove contents:write from job, add to GitHub App token
---
 .github/workflows/update-versions.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-versions.yml b/.github/workflows/update-versions.yml
index 64845eb3..96d250f1 100644
--- a/.github/workflows/update-versions.yml
+++ b/.github/workflows/update-versions.yml
@@ -3,6 +3,8 @@ name: Update Versions
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   setup:
     name: Setup
@@ -101,7 +103,6 @@ jobs:
     runs-on: ubuntu-24.04
     needs: setup
     permissions:
-      contents: write
       id-token: write
     steps:
       - name: Log in to Azure
@@ -127,6 +128,8 @@ jobs:
         with:
           app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
           private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write
+
 
       - name: Checkout Branch
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0