Fix permission for docker attestation (#1511)

2026-04-03 17:34:03 +02:00 · 2026-01-31 21:13:38 +08:00
parent 41a26c1c0f
commit bc142a25ff
1 changed files with 5 additions and 2 deletions
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -21,8 +21,6 @@ env:

 permissions:
  contents: read
-  # TODO(zanieb): Ideally, this would be `read` on dry-run but that will require
-  # significant changes to the workflow.
  packages: write # zizmor: ignore[excessive-permissions]

 jobs:
@@ -116,6 +114,11 @@ jobs:
      name: release
    needs:
      - docker-build
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    if: ${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }}
    steps:
      - name: Download digests