docker: Grant enough permissions to sign images

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 133107b83ee240c8b8a5c9d1d8b3e2b55b552f29..4e37a27cf0d2ce435837796e33100e2775ad2f37 100644 (file)
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -8,6 +8,9 @@ on:
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
   actions: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   call-build-image-auth: