From d32fc1d4e6e43a2a9ed54c6db306fb8f8fd4d23a Mon Sep 17 00:00:00 2001
From: Mike Alfare <mike.alfare@dbtlabs.com>
Date: Fri, 11 Oct 2024 13:33:29 -0400
Subject: [PATCH] fix permissions

---
 .github/workflows/code-quality.yml |  3 +++
 .github/workflows/publish-pypi.yml | 10 +---------
 .github/workflows/publish.yml      |  6 ++++--
 .github/workflows/unit-tests.yml   |  3 +++
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
index f9d870e0..425940da 100644
--- a/.github/workflows/code-quality.yml
+++ b/.github/workflows/code-quality.yml
@@ -22,6 +22,9 @@ on:
         type: string
         default: "dbt-labs/dbt-athena"
 
+permissions:
+  contents: read
+
 jobs:
   code-quality:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
index fce0a3b4..85be5267 100644
--- a/.github/workflows/publish-pypi.yml
+++ b/.github/workflows/publish-pypi.yml
@@ -19,15 +19,6 @@ on:
 permissions:
   contents: read
 
-# don't attempt to release the same target in parallel
-concurrency:
-  group: ${{ github.workflow }}-${{ inputs.package }}-${{ inputs.deploy-to }}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    shell: bash
-
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -49,6 +40,7 @@ jobs:
       # hatch will build using test PyPI first and fall back to prod PyPI when deploying to test
       # this is done via environment variables in the test environment in GitHub
       - run: hatch build && hatch run build:check-all
+        shell: bash
         working-directory: ./${{ inputs.package }}
       - uses: pypa/gh-action-pypi-publish@release/v1
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8a673f6f..82597c7d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,8 +12,10 @@ on:
         type: string
         default: "main"
 
-permissions:
-  contents: read
+# don't attempt to release the same target in parallel
+concurrency:
+  group: ${{ github.workflow }}-${{ inputs.deploy-to }}
+  cancel-in-progress: true
 
 jobs:
   unit-tests:
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
index a9275130..077be65d 100644
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -30,6 +30,9 @@ on:
         type: string
         default: "dbt-labs/dbt-athena"
 
+permissions:
+  contents: read
+
 jobs:
   unit-tests:
     runs-on: ubuntu-latest