From 1d73b2f0a91e59bf67c9def03b0e31da2d446c79 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Wed, 1 Apr 2026 10:49:54 +0200
Subject: [PATCH] ci: restore minimum set of required permissions

Commit #8171176 reduced workflow permissions and only allowed read
accesses to repo content. However, some workflows require write
permissions for token-id and attestations: these requirements resulted
in both master and release CIs being broken in the last month.

While still applying least privilege principle, this patch restores
the minimum set of required ones.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
---
 .github/workflows/master.yaml  | 7 +++++++
 .github/workflows/release.yaml | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
index 9fb4a161..c7b8516f 100644
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -56,6 +56,9 @@ jobs:
 
   publish-dev-packages:
     needs: [fetch-version, test-dev-packages, test-dev-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: '-dev'
@@ -84,6 +87,10 @@ jobs:
     
   publish-dev-docker:
     needs: [fetch-version, build-dev-docker, build-dev-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     with:
       tag: master
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 65204e51..388eedef 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -96,6 +96,9 @@ jobs:
 
   publish-packages:
     needs: [release-settings, test-packages, test-packages-arm64]
+    permissions:
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_packages.yaml
     with:
       bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
@@ -125,6 +128,10 @@ jobs:
 
   publish-docker:
     needs: [release-settings, build-docker, build-docker-arm64]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: read
     uses: ./.github/workflows/reusable_publish_docker.yaml
     secrets: inherit
     with: