From 78573231af4c2de3f194369be0ca8406524d3a8d Mon Sep 17 00:00:00 2001
From: Sean Molenaar <SMillerDev@users.noreply.github.com>
Date: Sun, 13 Oct 2024 15:49:59 +0200
Subject: [PATCH] fix: only scope permissions to build job

---
 .github/workflows/pkg-installer.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/pkg-installer.yml b/.github/workflows/pkg-installer.yml
index c1ce3ce9c0070..15aff146a6e41 100644
--- a/.github/workflows/pkg-installer.yml
+++ b/.github/workflows/pkg-installer.yml
@@ -11,10 +11,6 @@ on:
   release:
     types:
       - published
-permissions:
-  contents: read # for code access
-  attestations: write # for actions/attest-build-provenance
-  id-token: write # for actions/attest-build-provenance
 env:
   PKG_APPLE_DEVELOPER_TEAM_ID: ${{ secrets.PKG_APPLE_DEVELOPER_TEAM_ID }}
   HOMEBREW_NO_ANALYTICS_THIS_RUN: 1
@@ -35,6 +31,10 @@ jobs:
       TEMPORARY_KEYCHAIN_FILE: 'homebrew_installer_signing.keychain-db'
       # Set to the oldest supported version of macOS
       HOMEBREW_MACOS_OLDEST_SUPPORTED: '13.0'
+    permissions:
+      contents: read # for code access
+      attestations: write # for actions/attest-build-provenance
+      id-token: write # for actions/attest-build-provenance
     steps:
       - name: Remove existing API cache (to force update)
         run: rm -rvf ~/Library/Caches/Homebrew/api