Allow build-tags to run on forks

build-tags uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master
As of f107ec62467b8779db9bbdb175721ef232ed52e5, that workflow requires:

    permissions:
      actions: read   # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To be able to upload assets as release artifacts

Per https://docs.github.com/en/actions/using-workflows/reusing-workflows
in order for this to work, the calling job (in build-tags) needs to
have the maximum required permissions in order for the calling workflow
to be run.

diff --git a/.github/workflows/build-tags.yml b/.github/workflows/build-tags.yml
index 6431ec9d5ff91ad1825b7053ed1f31ac43c7d9c4..cccb4d5cadf156602cda9ecaaabf8cf22e098d67 100644 (file)
--- a/.github/workflows/build-tags.yml
+++ b/.github/workflows/build-tags.yml
@@ -8,6 +8,11 @@ on:
     - 'dnsdist-*'
     - 'rec-*'
 
+permissions:
+  actions: read
+  id-token: write
+  contents: write
+
 jobs:
   call-build-packages-auth:
     uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master