From bb2f6ba9a9fe729a8d68423842648e5fc44b0644 Mon Sep 17 00:00:00 2001
From: Ramona Hartinger <r.hartinger@adito.de>
Date: Fri, 2 Jan 2026 07:16:06 +0100
Subject: [PATCH] ci: only allowed sonar job to read PRs

---
 .github/workflows/nodejs.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index bcf034c..ccad419 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -5,9 +5,6 @@ on:
     branches: ["main"]
   pull_request:
 
-permissions:
-  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
-
 jobs:
   build:
     strategy:
@@ -41,6 +38,8 @@ jobs:
     name: Run eslint and sonar scanning
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pull-requests: read # allows SonarCloud to decorate PRs with analysis results
     steps:
       - name: Checkout code
         uses: actions/checkout@v6