Update README.md to use attestations permission (#180)

* Update README.md to use `attestations` permission * Update e2e.yml * Update ci.yml
github-early-access · Apr 22, 2024 · 0f4889d · 0f4889d
1 parent d66e134
commit 0f4889d
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -46,7 +46,8 @@ jobs:
     name: GitHub Actions Test (Linux)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:
@@ -64,7 +65,8 @@ jobs:
     name: GitHub Actions Test (Windows)
     runs-on: windows-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:
@@ -81,7 +83,8 @@ jobs:
     name: GitHub Actions Test (OCI)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
       packages: write
     env:
@@ -123,7 +126,8 @@ jobs:
     name: GitHub Actions Test (Private)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -14,7 +14,8 @@ jobs:
     name: Publish/Verify (Container Image)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      attestations: write
+      contents: read
       id-token: write
     services:
       registry:

diff --git a/README.md b/README.md
@@ -13,11 +13,12 @@ attest,
    ```yaml
    permissions:
      id-token: write
-     contents: write
+     attestations: write
+     contents: read # optional, usually required
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
-   necessary to request a Sigstore signing certificate. The `contents`
+   necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
 
    > **NOTE**: The set of required permissions will be refined in a future
@@ -167,7 +168,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      attestations: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -195,7 +197,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      attestations: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -247,7 +250,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: write
+      attestations: write
+      contents: read
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}