ci: restore minimum set of required permissions

Commit #8171176 reduced workflow permissions and only allowed read accesses to repo content. However, some workflows require write permissions for token-id and attestations: these requirements resulted in both master and release CIs being broken in the last month. While still applying least privilege principle, this patch restores the minimum set of required ones. Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
2026-04-02 10:02:12 +00:00 · 2026-04-01 10:49:54 +02:00
parent 8207e20e46
commit 1d73b2f0a9
2 changed files with 14 additions and 0 deletions
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -56,6 +56,9 @@ jobs:

  publish-dev-packages:
    needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
    uses: ./.github/workflows/reusable_publish_packages.yaml
    with:
      bucket_suffix: '-dev'
@@ -84,6 +87,10 @@ jobs:
    
  publish-dev-docker:
    needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
    uses: ./.github/workflows/reusable_publish_docker.yaml
    with:
      tag: master
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -96,6 +96,9 @@ jobs:

  publish-packages:
    needs: [release-settings, test-packages, test-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
    uses: ./.github/workflows/reusable_publish_packages.yaml
    with:
      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -125,6 +128,10 @@ jobs:

  publish-docker:
    needs: [release-settings, build-docker, build-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
    uses: ./.github/workflows/reusable_publish_docker.yaml
    secrets: inherit
    with: