fix workload permissions

.github/workflows/backend_deploy_workflow.yaml

@@ -12,10 +12,6 @@ on:
         description: "version to deploy"
         required: true
 
-permissions:
-  contents: read
-  id-token: "write" # needed for using open id token to authenticate with GCP
-
 jobs:
   build_and_deploy_backend:
     name: Build and deploy back-end

.github/workflows/backend_test_workflow.yaml

@@ -2,11 +2,6 @@ name: Test back-end
 
 on: [workflow_call]
 
-permissions:
-  contents: read
-  pull-requests: read
-  checks: write
-
 jobs:
   test_backend:
     name: Test back-end

.github/workflows/build_and_test.yaml

@@ -8,4 +8,8 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml

.github/workflows/deploy_production.yaml

@@ -11,11 +11,18 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml
 
   build_and_deploy_backend:
     needs: test_backend
     uses: ./.github/workflows/backend_deploy_workflow.yaml
+    permissions:
+      contents: read
+      id-token: "write" # needed for using open id token to authenticate with GCP services
     with:
       environment: "production"
       version: ${{ github.ref_name }}

.github/workflows/deploy_staging.yaml

@@ -11,11 +11,18 @@ concurrency:
 
 jobs:
   test_backend:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     uses: ./.github/workflows/backend_test_workflow.yaml
 
   build_and_deploy_backend:
     needs: test_backend
     uses: ./.github/workflows/backend_deploy_workflow.yaml
+    permissions:
+      contents: read
+      id-token: "write" # needed for using open id token to authenticate with GCP services
     with:
       environment: "staging"
       version: latest