remove packages write permissions

crazy-max · crazy-max · commit 239bc4906203 · 2025-11-14T16:38:24.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
@@ -22,7 +22,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -43,7 +42,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -99,8 +97,8 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
+      packages: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: ghcr.io/docker/github-builder-test
@@ -119,7 +117,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -139,7 +136,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -158,8 +154,8 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
+      packages: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: |
@@ -183,7 +179,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
@@ -227,7 +222,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
@@ -283,7 +277,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -140,8 +140,7 @@ jobs:
       artifact-name: ${{ inputs.artifact-name }}
     permissions:
       contents: read
-      id-token: write # needed for signing the images with GitHub OIDC Token
-      packages: write # needed to push images to GitHub Container Registry
+      id-token: write # for signing attestation manifests with GitHub OIDC Token
     steps:
       -
         name: Environment variables
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -142,8 +142,7 @@ jobs:
       artifact-name: ${{ inputs.artifact-name }}
     permissions:
       contents: read
-      id-token: write # needed for signing the images with GitHub OIDC Token
-      packages: write # needed to push images to GitHub Container Registry
+      id-token: write # for signing attestation manifests with GitHub OIDC Token
     steps:
       -
         name: Docker meta
diff --git a/README.md b/README.md
@@ -37,7 +37,6 @@ on:
     permissions:
       contents: read
       id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app
@@ -105,7 +104,6 @@ on:
     permissions:
       contents: read
       id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app
