build-docker-images: Fix access to id-token to sign images

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

diff --git a/.github/workflows/build-docker-images-dispatch.yml b/.github/workflows/build-docker-images-dispatch.yml
index a1ad31e7609b4e20965b1b4dce0d8f4d88d3fe09..7f52f31e1c85a66837fee16aa37a8409dfaf6cbc 100644 (file)
--- a/.github/workflows/build-docker-images-dispatch.yml
+++ b/.github/workflows/build-docker-images-dispatch.yml
@@ -35,6 +35,9 @@ on:
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
   actions: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   prepare:

diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index 175fe9fcd1b2991cfbe0a79f317399fe2f4a7b1d..116ad31d49a348637a834e33d2032e8d4d41b982 100644 (file)
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -49,11 +49,16 @@ on:
 
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   validate-push-image:
     name: Check only images built from tags and master are pushed
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -71,6 +76,8 @@ jobs:
   prepare-runner-os-list:
     name: generate list of runner-architecture pairs based on the input "platforms"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       runnerlist: ${{ steps.get-runnerlist.outputs.runnerlist }}
     steps:
@@ -94,6 +101,8 @@ jobs:
       fail-fast: false
       matrix:
         platform: ${{ fromJson(needs.prepare-runner-os-list.outputs.runnerlist) }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -158,6 +167,11 @@ jobs:
     runs-on: ubuntu-24.04
     if: ${{ inputs.push }}
     needs: build
+    permissions:
+      contents: read
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
     outputs:
       image-digest: ${{ steps.get-image-digest.outputs.image-digest }}
     env:
@@ -220,6 +234,8 @@ jobs:
       INPUT_IMAGE_TAGS: ${{ inputs.image-tags }}
       INPUT_PLATFORMS: ${{ inputs.platforms }}
       IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
+    permissions:
+      contents: read
     steps:
       - name: Check running image
         run: |