Tighten permissions

hugovk · hugovk · commit a1740d85a91f · 2023-08-21T08:51:56.000+03:00
diff --git a/.github/workflows/pypi-package.yml b/.github/workflows/pypi-package.yml
@@ -13,7 +13,6 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   # Always build & lint package.
@@ -35,6 +34,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-package
 
+    permissions:
+      id-token: write
+
     steps:
       - name: Download packages built by build-and-inspect-python-package
         uses: actions/download-artifact@v3
@@ -55,6 +57,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: build-package
 
+    permissions:
+      id-token: write
+
     steps:
       - name: Download packages built by build-and-inspect-python-package
         uses: actions/download-artifact@v3
