From 7406cfbe5991b3edd1324b0f446c68c7acdc95e1 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 3 Jul 2023 15:28:21 +0200
Subject: [PATCH] builder-dispatch: Explicitly grant id-token: write to the
 build package workflow

---
 .github/workflows/builder-dispatch.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/builder-dispatch.yml b/.github/workflows/builder-dispatch.yml
index 456af0af24..30cab32c47 100644
--- a/.github/workflows/builder-dispatch.yml
+++ b/.github/workflows/builder-dispatch.yml
@@ -35,6 +35,11 @@ on:
         - 'NO'
         - 'YES'
 
+permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+  actions: read
+  contents: write # To be able to upload assets as release artifacts
+  id-token: write # To sign the provenance in the build packages reusable workflow.
+
 jobs:
   call-build-packages:
     uses: PowerDNS/pdns/.github/workflows/build-packages.yml@master
-- 
2.47.2