Merge pull request #11435 from kata-containers/release-flow-permissions-fix(es)

workflows: Fix permissions

.github/workflows/ci-weekly.yaml

@@ -119,3 +119,6 @@ jobs:
       AZ_APPID: ${{ secrets.AZ_APPID }}
       AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
       AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+    permissions:
+      contents: read
+      id-token: write

.github/workflows/release-amd64.yaml

@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-amd64

.github/workflows/release-arm64.yaml

@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-arm64

.github/workflows/release-ppc64le.yaml

@@ -20,6 +20,11 @@ jobs:
       stage: release
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
   kata-deploy:
     needs: build-kata-static-tarball-ppc64le

.github/workflows/release-s390x.yaml

@@ -23,6 +23,11 @@ jobs:
     secrets:
       CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
 
 
   kata-deploy: