Use job-level permissions in caller workflows (#7817)

ZainRizvi · web-flow · commit 438f9221de96 · 2026-03-06T16:48:27.000-06:00
## Summary Move permissions from workflow level to job level in caller workflows for the reusable Claude Code workflow. Updates test-infra's own caller and the setup script template Verified job-level permissions working on ciforge: https://github.com/pytorch/ciforge/actions/runs/22781976814 ## Test plan - [x] Job-level permissions verified working on ciforge (run linked above)
diff --git a/.github/scripts/setup-claude-environment.py b/.github/scripts/setup-claude-environment.py
@@ -41,15 +41,14 @@
   issues:
     types: [opened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  id-token: write
-
 jobs:
   claude-code:
     uses: pytorch/test-infra/.github/workflows/_claude-code.yml@main
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     secrets: inherit
 """
 
diff --git a/.github/workflows/claude-code.yml b/.github/workflows/claude-code.yml
@@ -6,13 +6,12 @@ on:
   issues:
     types: [opened]
 
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  id-token: write
-
 jobs:
   claude-code:
     uses: ./.github/workflows/_claude-code.yml
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
     secrets: inherit
