fix: test release-image permissions (#36)

- [x] add permissions needed to each doc for each reusable workflow Signed-off-by: jmeridth <[email protected]>
github · Jan 25, 2025 · c180b53 · c180b53
1 parent 90604e8
commit c180b53
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 3 deletions.
diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
@@ -20,10 +20,10 @@ jobs:
   release_image:
     needs: release
     permissions:
-      contents: write
-      discussions: write
+      contents: read
       packages: write
-      pull-requests: read
+      id-token: write
+      attestations: write
     uses: ./.github/workflows/release-image.yaml
     with:
       image-name: github/ospo-reusable-workflows

diff --git a/docs/auto-labeler.md b/docs/auto-labeler.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/auto-labeler.yml@main
+  permissions:
+    contents: write
+    pull-requests: write
   with:
     # The name of the configuration file to use, default is release-drafter.yml
     # from the release-drafter/release-drafter GitHub Action

diff --git a/docs/labeler.md b/docs/labeler.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/labeler.yml@main
+  permissions:
+    contents: read
+    pull-requests: write
   with:
     # The name of the configuration file to use, default is labeler.yml
     # from the actions/labeler GitHub Action

diff --git a/docs/pr-title.md b/docs/pr-title.md
@@ -4,6 +4,10 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/pr-title.yml@main
+  permissions:
+    contents: read
+    pull-requests: read
+    statuses: write
   with:
     # Configure which types are allowed (newline-delimited).
     # From: https://github.com/commitizen/conventional-commit-types/blob/master/index.json

diff --git a/docs/release-discussion.md b/docs/release-discussion.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: read
+    discussions: write
   with:
     # Full tag of the image, usually the version (v1.0.0)
     full-tag: v1.0.0

diff --git a/docs/release-image.md b/docs/release-image.md
@@ -4,6 +4,11 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: read
+    packages: write
+    id-token: write
+    attestations: write
   with:
     # Image name, usually owner/repository (github/ospo-reusable-workflows)
     image-name: ${{ github.repository }}

diff --git a/docs/release.md b/docs/release.md
@@ -4,6 +4,9 @@
 
 ```yaml
 - uses: github/ospo-reusable-workflows/.github/workflows/release.yml@main
+  permissions:
+    contents: write
+    pull-requests: read
   with:
     # Boolean flag whether to publish the release, default is true
     publish: true