From b6e00b77e3104fe900aa82e77d81b59e27c067e4 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 17 Mar 2026 17:24:39 -0400 Subject: [PATCH] ci: scope permissions to jobs in publish-image workflow --- .github/workflows/publish-image.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml index 6767a5400..2b91f564b 100644 --- a/.github/workflows/publish-image.yml +++ b/.github/workflows/publish-image.yml @@ -12,12 +12,6 @@ concurrency: group: publish-${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - packages: write - id-token: write - attestations: write - env: IMAGE_DESCRIPTION: Fizzy is Kanban as it should be. Not as it has been. SOURCE_URL: https://github.com/${{ github.repository }} @@ -27,6 +21,11 @@ jobs: name: Build and push image (${{ matrix.arch }}) runs-on: ${{ matrix.runner }} timeout-minutes: 45 + permissions: + contents: read + packages: write + id-token: write + attestations: write strategy: fail-fast: false matrix: @@ -113,6 +112,9 @@ jobs: if: github.event_name != 'pull_request' runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + packages: write + id-token: write env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}