Fix GitHub Actions workflow permissions (#574)

DependencyTrack · Feb 14, 2024 · e98adda · e98adda
1 parent 4ec6112
commit e98adda
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 0 deletions.
diff --git a/.github/workflows/_meta-build.yaml b/.github/workflows/_meta-build.yaml
@@ -61,6 +61,7 @@ jobs:
   build-container:
     runs-on: ubuntu-latest
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     needs:
       - build-java

diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
@@ -25,6 +25,7 @@ jobs:
       app-version: "snapshot"
       publish-container: ${{ github.ref == 'refs/heads/main' }}
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}

diff --git a/.github/workflows/ci-publish.yaml b/.github/workflows/ci-publish.yaml
@@ -39,6 +39,7 @@ jobs:
       app-version: ${{ needs.read-version.outputs.version }}
       publish-container: true
     permissions:
+      packages: write # Required to push images to ghcr.io
       security-events: write # Required to upload trivy's SARIF output
     secrets:
       registry-0-usr: ${{ github.repository_owner }}

diff --git a/.github/workflows/ci-release.yaml b/.github/workflows/ci-release.yaml
@@ -38,6 +38,10 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      # Required for pushing changes via git command (rather than via GitHub API).
+      # TODO: Use bot credentials for git, or rewrite the "Commit Version" step to use API instead.
+      contents: write
     needs:
       - prepare-release