bcgov · DarylTodosichuk · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.github/workflows/docker-build-dev.yml b/.github/workflows/docker-build-dev.yml
@@ -1,6 +1,4 @@
 name: Dev - Build & Push docker images
-permissions:
-  contents: read
 
 on:
   push:
@@ -42,6 +40,8 @@ jobs:
   Setup:
     runs-on: ubuntu-latest
     environment: dev
+    permissions:
+      contents: read
     steps:
     - name: Get variables
       run: |
@@ -61,6 +61,8 @@ jobs:
     needs: [Setup]
     runs-on: ubuntu-latest
     environment: dev
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -111,6 +113,8 @@ jobs:
     needs: [Setup,Branch,PushVariables]
     runs-on: ubuntu-latest
     environment: dev
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: Build Docker images

diff --git a/.github/workflows/docker-build-main.yml b/.github/workflows/docker-build-main.yml
@@ -1,6 +1,4 @@
 name: Main - Build & Push docker images
-permissions:
-  contents: read
 
 on:
   push:
@@ -42,6 +40,8 @@ jobs:
   Setup:
     runs-on: ubuntu-latest
     environment: main
+    permissions:
+      contents: read
     steps:
     - name: Get variables
       run: |
@@ -61,6 +61,8 @@ jobs:
     needs: [Setup]
     runs-on: ubuntu-latest
     environment: main
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -168,6 +170,8 @@ jobs:
     needs: [Setup,Branch,GenerateTag,PushVariables]
     runs-on: ubuntu-latest
     environment: main
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: Build Docker images

diff --git a/.github/workflows/docker-build-test.yml b/.github/workflows/docker-build-test.yml
@@ -1,6 +1,4 @@
 name: Test - Build & Push docker images
-permissions:
-  contents: read
 
 on:
   push:
@@ -42,6 +40,8 @@ jobs:
   Setup:
     runs-on: ubuntu-latest
     environment: test
+    permissions:
+      contents: read
     steps:
     - name: Get variables
       run: |
@@ -61,6 +61,8 @@ jobs:
     needs: [Setup]
     runs-on: ubuntu-latest
     environment: test
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -89,6 +91,8 @@ jobs:
     needs: [Setup,Branch]
     runs-on: ubuntu-latest
     environment: test
+    permissions:
+      contents: write
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -114,6 +118,7 @@ jobs:
     needs: [Setup,Branch,GenerateTag]
     permissions:
       actions: write
+      contents: read
     runs-on: ubuntu-latest
     environment: test
     steps:
@@ -144,6 +149,8 @@ jobs:
     needs: [Setup,Branch,GenerateTag,PushVariables]
     runs-on: ubuntu-latest
     environment: test
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: Build Docker images

diff --git a/.github/workflows/manual-trigger.yml b/.github/workflows/manual-trigger.yml
@@ -1,8 +1,6 @@
 # This is a basic workflow that is manually triggered
 
 name: Workflow - Run manual trigger
-permissions:
-  contents: read
 
 # Controls when the action will run. Workflow runs when manually triggered
 on:
@@ -39,6 +37,8 @@ jobs:
   Setup:
     runs-on: ubuntu-latest
     environment: ${{ inputs.name }}
+    permissions:
+      contents: read
     steps:
     - name: Get variables
       run: |
@@ -57,6 +57,8 @@ jobs:
     needs: [Setup]
     runs-on: ubuntu-latest
     environment: ${{ inputs.name }}
+    permissions:
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -86,6 +88,7 @@ jobs:
     environment: ${{ inputs.name }}
     permissions:
       actions: write
+      contents: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
@@ -106,6 +109,8 @@ jobs:
     needs: [Setup,Branch,PushVariables]
     runs-on: ubuntu-latest
     environment: ${{ inputs.name }}
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: Build Docker images

diff --git a/.github/workflows/pr-check-dev-branch.yml b/.github/workflows/pr-check-dev-branch.yml
@@ -1,9 +1,5 @@
 name: Dev - Branch Protection - CI & Unit Tests
 
-permissions:
-  contents: read
-  pull-requests: write
-
 on:
   pull_request:
     branches:
@@ -15,6 +11,8 @@ jobs:
   # ---------------------------------------------------------------------
   check-dev-branch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       branch-allowed: ${{ steps.branch-check.outputs.allowed }}
     steps:
@@ -41,6 +39,8 @@ jobs:
     needs: check-dev-branch
     if: needs.check-dev-branch.outputs.branch-allowed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.discover.outputs.matrix }}
     steps:
@@ -60,6 +60,8 @@ jobs:
   test-project:
     needs: discover-test-projects
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -96,6 +98,9 @@ jobs:
   aggregate-results:
     needs: test-project
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/pr-check-main-branch.yml b/.github/workflows/pr-check-main-branch.yml
@@ -1,8 +1,4 @@
 name: Main - Branch Protection - CI & Unit Tests
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
 
 on:
   pull_request:
@@ -15,6 +11,8 @@ jobs:
   # ---------------------------------------------------------------------  
   check-main-branch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       branch-allowed: ${{ steps.branch-check.outputs.allowed }}    
     steps:
@@ -37,6 +35,8 @@ jobs:
     needs: check-main-branch
     if: needs.check-main-branch.outputs.branch-allowed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.discover.outputs.matrix }}
     steps:
@@ -56,6 +56,8 @@ jobs:
   test-project:
     needs: discover-test-projects
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -92,6 +94,10 @@ jobs:
   aggregate-results:
     needs: test-project
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/pr-check-test-branch.yml b/.github/workflows/pr-check-test-branch.yml
@@ -1,8 +1,4 @@
 name: Test - Branch Protection - CI & Unit Tests
-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
 
 on:
   pull_request:
@@ -15,6 +11,8 @@ jobs:
   # ---------------------------------------------------------------------  
   check-test-branch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       branch-allowed: ${{ steps.branch-check.outputs.allowed }}    
     steps:
@@ -39,6 +37,8 @@ jobs:
     needs: check-test-branch
     if: needs.check-test-branch.outputs.branch-allowed == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       matrix: ${{ steps.discover.outputs.matrix }}
     steps:
@@ -58,6 +58,8 @@ jobs:
   test-project:
     needs: discover-test-projects
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     strategy:
       fail-fast: false
@@ -94,6 +96,10 @@ jobs:
   aggregate-results:
     needs: test-project
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/sonarsource-scan.yml b/.github/workflows/sonarsource-scan.yml
@@ -9,15 +9,14 @@ on:
 #      - main
 #  pull_request:
 #    types: [opened, synchronize, reopened]
-#  workflow_dispatch:
+  workflow_dispatch:
 
 permissions:
   contents: read
   pull-requests: write
   checks: write
   security-events: write
 
-
 jobs:
   sonarcloud:
     name: SonarCloud
@@ -79,10 +78,6 @@ jobs:
         working-directory: ./applications/Unity.GrantManager
         run: dotnet build Unity.GrantManager.sln --no-restore
 
-      - name: Run tests with coverage
-        working-directory: ./applications/Unity.GrantManager
-        run: dotnet test Unity.GrantManager.sln --no-build --verbosity normal --collect:"XPlat Code Coverage" --results-directory ./TestResults/
-
       - name: SonarCloud Scan
         uses: SonarSource/sonarqube-scan-action@v7
         with: