CI: Fix missing permissions in workflow

Signed-off-by: Knut Ahlers <knut@ahlers.me>
2024-11-09 16:50:01 +00:00 · 2024-04-13 14:13:36 +02:00 · 2024-04-13 14:13:36 +02:00 · 97dbc74ebc
commit 97dbc74ebc
parent 2c9d8ef33c
4 changed files with 12 additions and 6 deletions
--- a/.github/workflows/generated_workflow.yml
+++ b/.github/workflows/generated_workflow.yml
@ -1,7 +1,7 @@
 name: CI Workflow
 on: push
 permissions:
-  packages: write
+  contents: read
 jobs:
  doc-generator:
    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
@ -43,6 +43,8 @@ jobs:
    defaults:
      run:
        shell: bash
+    permissions:
+      packages: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -221,6 +223,8 @@ jobs:
      env:
        CGO_ENABLED: 0
        GOPATH: /go
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -234,13 +238,11 @@ jobs:
      - name: Extract changelog
        run: awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md
      - name: Update stable branch
-        if: startsWith(github.ref, 'refs/tags/')
        run: |
          git branch -f stable ${GITHUB_SHA}
          git push -f origin stable
      - name: Release
        uses: ncipollo/release-action@v1
-        if: startsWith(github.ref, 'refs/tags/')
        with:
          artifacts: .build/*
          bodyFile: release_changelog.md
--- a/ci/workflow-parts/index.yaml
+++ b/ci/workflow-parts/index.yaml
@ -2,6 +2,6 @@ name: CI Workflow
 on: push

 permissions:
-  packages: write
+  contents: read

 jobs: {}
--- a/ci/workflow-parts/part_docker-publish.yml
+++ b/ci/workflow-parts/part_docker-publish.yml
@ -7,6 +7,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  packages: write
+
 runs-on: ubuntu-latest

 steps:
--- a/ci/workflow-parts/part_release.yml
+++ b/ci/workflow-parts/part_release.yml
@ -13,6 +13,9 @@ container:
    CGO_ENABLED: 0
    GOPATH: /go

+permissions:
+  contents: write
+
 runs-on: ubuntu-latest

 steps:
@ -31,14 +34,12 @@ steps:
    run: 'awk "/^#/ && ++c==2{exit}; /^#/f" "History.md" | tail -n +2 >release_changelog.md'

  - name: Update stable branch
-    if: startsWith(github.ref, 'refs/tags/')
    run: |
      git branch -f stable ${GITHUB_SHA}
      git push -f origin stable

  - name: Release
    uses: ncipollo/release-action@v1
-    if: startsWith(github.ref, 'refs/tags/')
    with:
      artifacts: '.build/*'
      bodyFile: release_changelog.md