Update workflow permissions avoid device-flow auth

stackhpc · Oct 31, 2024 · 0dfd58a · 0dfd58a
1 parent f3d5544
commit 0dfd58a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/.github/workflows/build-push-artifacts.yml b/.github/workflows/build-push-artifacts.yml
@@ -34,8 +34,13 @@ jobs:
   build_push_images:
     name: Build and push images
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write         # needed for signing the images with GitHub OIDC Token
+      packages: write         # required for pushing container images
+      security-events: write  # required for pushing SARIF files
     needs: changes
-    if: ${{ needs.changes.outputs.images == 'true' || github.ref_type == 'tag' }}
+    # if: ${{ needs.changes.outputs.images == 'true' || github.ref_type == 'tag' }}
     strategy:
       matrix:
         include: