From 2d9f1f1abc6bc351cc1ca4d38c38e5987639ef38 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Thu, 27 Nov 2025 17:23:19 +0100
Subject: [PATCH] fix(.github): ghcr.io rate-limit mitigation

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 .github/workflows/ci.yml                      | 1 +
 .github/workflows/master.yaml                 | 4 ++++
 .github/workflows/release.yaml                | 4 ++++
 .github/workflows/reusable_test_packages.yaml | 5 +++++
 4 files changed, 14 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b0060803..5fae83d5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,7 @@ concurrency:
 
 permissions:  
   contents: read
+  packages: read
   
 jobs:
   fetch-version:
diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
index 9f3a1e6e..876b6150 100644
--- a/.github/workflows/master.yaml
+++ b/.github/workflows/master.yaml
@@ -3,6 +3,10 @@ on:
   push:
     branches: [master]
 
+permissions:  
+  contents: read
+  packages: read
+
 # Checks if any concurrent jobs is running for master CI and eventually cancel it
 concurrency:
   group: ci-master
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 74e3a4da..9a8ea926 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,6 +3,10 @@ on:
   release:
     types: [published]
 
+permissions:  
+  contents: read
+  packages: read
+
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
   group: ci-release
diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml
index 5bb5b17e..bf8bfa4b 100644
--- a/.github/workflows/reusable_test_packages.yaml
+++ b/.github/workflows/reusable_test_packages.yaml
@@ -23,6 +23,7 @@ on:
 
 permissions:  
   contents: read
+  packages: read
   
 jobs:
   test-packages:
@@ -56,6 +57,10 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
+          # Authenticate to GitHub Container Registry to pull falcoctl image
+          # This is a temporary mitigation for the rate limiting issue
+          # See https://github.com/falcosecurity/rules/issues/331
+          FALCOCTL_REGISTRY_AUTH_BASIC: ghcr.io,${{ github.actor }},${{ github.token }}
         uses: falcosecurity/testing@main
         with:
           test-falco: 'true'