From 97dbc74ebc2b0c920fe7cc0e437b072b59cfd88f Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Sat, 13 Apr 2024 14:13:36 +0200
Subject: [PATCH] CI: Fix missing permissions in workflow

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 .github/workflows/generated_workflow.yml  | 8 +++++---
 ci/workflow-parts/index.yaml              | 2 +-
 ci/workflow-parts/part_docker-publish.yml | 3 +++
 ci/workflow-parts/part_release.yml        | 5 +++--
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/generated_workflow.yml b/.github/workflows/generated_workflow.yml
index 470deb3..9119247 100644
--- a/.github/workflows/generated_workflow.yml
+++ b/.github/workflows/generated_workflow.yml
@@ -1,7 +1,7 @@
 name: CI Workflow
 on: push
 permissions:
-  packages: write
+  contents: read
 jobs:
   doc-generator:
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}
@@ -43,6 +43,8 @@ jobs:
     defaults:
       run:
         shell: bash
+    permissions:
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -221,6 +223,8 @@ jobs:
       env:
         CGO_ENABLED: 0
         GOPATH: /go
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -234,13 +238,11 @@ jobs:
       - name: Extract changelog
         run: awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md
       - name: Update stable branch
-        if: startsWith(github.ref, 'refs/tags/')
         run: |
           git branch -f stable ${GITHUB_SHA}
           git push -f origin stable
       - name: Release
         uses: ncipollo/release-action@v1
-        if: startsWith(github.ref, 'refs/tags/')
         with:
           artifacts: .build/*
           bodyFile: release_changelog.md
diff --git a/ci/workflow-parts/index.yaml b/ci/workflow-parts/index.yaml
index 0280b4d..547e9b3 100644
--- a/ci/workflow-parts/index.yaml
+++ b/ci/workflow-parts/index.yaml
@@ -2,6 +2,6 @@ name: CI Workflow
 on: push
 
 permissions:
-  packages: write
+  contents: read
 
 jobs: {}
diff --git a/ci/workflow-parts/part_docker-publish.yml b/ci/workflow-parts/part_docker-publish.yml
index b46a1e7..d3089e8 100644
--- a/ci/workflow-parts/part_docker-publish.yml
+++ b/ci/workflow-parts/part_docker-publish.yml
@@ -7,6 +7,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  packages: write
+
 runs-on: ubuntu-latest
 
 steps:
diff --git a/ci/workflow-parts/part_release.yml b/ci/workflow-parts/part_release.yml
index 36715ee..4000c0e 100644
--- a/ci/workflow-parts/part_release.yml
+++ b/ci/workflow-parts/part_release.yml
@@ -13,6 +13,9 @@ container:
     CGO_ENABLED: 0
     GOPATH: /go
 
+permissions:
+  contents: write
+
 runs-on: ubuntu-latest
 
 steps:
@@ -31,14 +34,12 @@ steps:
     run: 'awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md'
 
   - name: Update stable branch
-    if: startsWith(github.ref, 'refs/tags/')
     run: |
       git branch -f stable ${GITHUB_SHA}
       git push -f origin stable
 
   - name: Release
     uses: ncipollo/release-action@v1
-    if: startsWith(github.ref, 'refs/tags/')
     with:
       artifacts: '.build/*'
       bodyFile: release_changelog.md