Fix permissions set on docker build/publish and align with main & release workflows

giom-l · giom-l · commit aa6a8e9718b9 · 2024-06-22T00:49:04.000+02:00
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -12,7 +12,6 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 jobs:
   build:
diff --git a/.github/workflows/docker_publish.yml b/.github/workflows/docker_publish.yml
@@ -11,6 +11,10 @@ on:
         required: true
         type: string        
 
+permissions:
+  packages: write
+  id-token: write # Required to authenticate with OIDC for AWS
+
 jobs:
   deploy:
     continue-on-error: true
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -51,7 +51,6 @@ jobs:
     needs: jar-build
     permissions:
       contents: read
-      packages: write
     uses: ./.github/workflows/docker_build.yml
     secrets: inherit
     with:
@@ -61,9 +60,8 @@ jobs:
   docker-deploy: 
     needs: [jar-build, docker-build]
     permissions:
-      contents: read # To read secrets
-      id-token: write # This is required for requesting the JWT
       packages: write
+      id-token: write # Required to authenticate with OIDC for AWS
     uses: ./.github/workflows/docker_publish.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -57,7 +57,6 @@ jobs:
     needs: release
     permissions:
       contents: read
-      packages: write
     uses: ./.github/workflows/docker_build.yml
     secrets: inherit
     with:
@@ -67,9 +66,8 @@ jobs:
   docker-deploy:
     needs: [release, docker-build]
     permissions:
-      contents: read # To read secrets
-      id-token: write # This is required for requesting the JWT
       packages: write
+      id-token: write # Required to authenticate with OIDC for AWS
     uses: ./.github/workflows/docker_publish.yml
     secrets: inherit
     with:
