From 0f4889da6ff4e8d518617936b03dda01f22380ad Mon Sep 17 00:00:00 2001
From: Phill MV <phillmv@github.com>
Date: Mon, 22 Apr 2024 13:17:40 -0400
Subject: [PATCH] Update README.md to use `attestations` permission (#180)

* Update README.md to use `attestations` permission

* Update e2e.yml

* Update ci.yml
---
 .github/workflows/ci.yml  | 12 ++++++++----
 .github/workflows/e2e.yml |  3 ++-
 README.md                 | 14 +++++++++-----
 3 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f1713c2..e506fb7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,7 +46,8 @@ jobs:
     name: GitHub Actions Test (Linux)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:
@@ -64,7 +65,8 @@ jobs:
     name: GitHub Actions Test (Windows)
     runs-on: windows-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:
@@ -81,7 +83,8 @@ jobs:
     name: GitHub Actions Test (OCI)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
       packages: write
     env:
@@ -123,7 +126,8 @@ jobs:
     name: GitHub Actions Test (Private)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      attestations: write
       id-token: write
 
     steps:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 7c3d681..df7a6a9 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -14,7 +14,8 @@ jobs:
     name: Publish/Verify (Container Image)
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      attestations: write
+      contents: read
       id-token: write
     services:
       registry:
diff --git a/README.md b/README.md
index 8d0acd3..dc4fad0 100644
--- a/README.md
+++ b/README.md
@@ -13,11 +13,12 @@ attest,
    ```yaml
    permissions:
      id-token: write
-     contents: write
+     attestations: write
+     contents: read # optional, usually required
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
-   necessary to request a Sigstore signing certificate. The `contents`
+   necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
 
    > **NOTE**: The set of required permissions will be refined in a future
@@ -167,7 +168,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      attestations: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -195,7 +197,8 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: write
+      attestations: write
+      contents: read
 
     steps:
       - name: Checkout
@@ -247,7 +250,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
-      contents: write
+      attestations: write
+      contents: read
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}