From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 22 Sep 2025 12:57:14 +0000 (+0200)
Subject: build-docker-images: Fix access to id-token to sign images
X-Git-Tag: rec-5.4.0-alpha1~261^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68607684832a4f90de23ebb3ad850b5cca8ffcaf;p=thirdparty%2Fpdns.git

build-docker-images: Fix access to id-token to sign images

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/.github/workflows/build-docker-images-dispatch.yml b/.github/workflows/build-docker-images-dispatch.yml
index a1ad31e760..7f52f31e1c 100644
--- a/.github/workflows/build-docker-images-dispatch.yml
+++ b/.github/workflows/build-docker-images-dispatch.yml
@@ -35,6 +35,9 @@ on:
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
   actions: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   prepare:
diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index 175fe9fcd1..116ad31d49 100644
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -49,11 +49,16 @@ on:
 
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   validate-push-image:
     name: Check only images built from tags and master are pushed
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -71,6 +76,8 @@ jobs:
   prepare-runner-os-list:
     name: generate list of runner-architecture pairs based on the input "platforms"
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     outputs:
       runnerlist: ${{ steps.get-runnerlist.outputs.runnerlist }}
     steps:
@@ -94,6 +101,8 @@ jobs:
       fail-fast: false
       matrix:
         platform: ${{ fromJson(needs.prepare-runner-os-list.outputs.runnerlist) }}
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -158,6 +167,11 @@ jobs:
     runs-on: ubuntu-24.04
     if: ${{ inputs.push }}
     needs: build
+    permissions:
+      contents: read
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
     outputs:
       image-digest: ${{ steps.get-image-digest.outputs.image-digest }}
     env:
@@ -220,6 +234,8 @@ jobs:
       INPUT_IMAGE_TAGS: ${{ inputs.image-tags }}
       INPUT_PLATFORMS: ${{ inputs.platforms }}
       IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
+    permissions:
+      contents: read
     steps:
       - name: Check running image
         run: |