builder-dispatch: Explicitly grant id-token: write to the build package workflow

diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml
index 456af0af244f9b73350f8229d7fec5f433c84d23..30cab32c47f78a3b74a7ebfaa7ff65078741b3d0 100644 (file)
--- a/.github/workflows/builder-dispatch.yml
+++ b/.github/workflows/builder-dispatch.yml
@@ -35,6 +35,11 @@ on:
         - 'NO'
         - 'YES'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  actions: read
+  contents: write # To be able to upload assets as release artifacts
+  id-token: write # To sign the provenance in the build packages reusable workflow.
+
 jobs:
   call-build-packages:
     uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master