Move permission to workflow level

jiechen0826 · Feb 11, 2025 · 4be6a0b · 4be6a0b
1 parent 6fac8e2
commit 4be6a0b
Showing 1 changed file with 5 additions and 17 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,6 +18,10 @@ env:
   LCOW_ARTIFACT_VERSION: "*.*.*"
   LINUX_BOOT_FILES_PATH: ${{ github.workspace }}/LinuxBootFiles
 
+permissions:
+  id-token: write   # This is required for OIDC login (azure/login) to succeed
+  contents: read    # This is required for actions/checkout to succeed
+
 jobs:
   lint:
     runs-on: "windows-2022"
@@ -246,28 +250,12 @@ jobs:
       - self-hosted
       - 1ES.Pool=containerplat-github-runner-pool-east-us-2
       - 1ES.ImageOverride=github-mms-ubuntu-22
-    permissions:
-      id-token: write   # This is required for OIDC login (azure/login) to succeed
-      contents: read    # This is required for actions/checkout to succeed
     steps:
     - name: Checkout hcsshim
       uses: actions/checkout@v4
       with:
         show-progress: false
-
-    # print oidc token claims manually
-    - name: print oidc token claims
-      run: |
-          IDTOKEN=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" -H "Accept: application/json; api-version=2.0" -H "Content-Type: application/json"  | jq -r '.value')
-          jwtd() {
-            if [[ -x $(command -v jq) ]]; then
-                jq -R 'split(".") | .[1] | @base64d | fromjson' <<< "${1}" > jwt_claims.json
-                cat jwt_claims.json
-                echo ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL}} 
-            fi
-          }
-          jwtd $IDTOKEN
-            
+
     # Install Azure CLI and login to Azure
     - name: Azure OIDC Login
       uses: azure/login@v2