fix: add correct permissions to build job

.github/workflows/base-alpine.yml

@@ -11,7 +11,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/base-alpine

.github/workflows/base-node.yml

@@ -11,7 +11,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/base-node

.github/workflows/bitcoin-regtest.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/bitcoin-regtest

.github/workflows/bitcoin.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/bitcoin

.github/workflows/bp-core.yml

@@ -56,7 +56,10 @@ jobs:
   build-release:
     needs: prepare
     if: ${{ (github.event_name == 'push' || github.event.inputs.target == 'release') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -66,7 +69,10 @@ jobs:
   build-nightly:
     needs: prepare
     if: ${{ (github.event_name == 'schedule' || github.event.inputs.target == 'nightly') && (github.event.inputs.force || needs.prepare.outputs.tag-commit-exists == 'false') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -76,15 +82,21 @@ jobs:
 
   build-lnpbp-tools-release:
     needs: build-release
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools
       target: release
 
   build-lnpbp-tools-nightly:
     needs: build-nightly
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools

.github/workflows/bp-descriptor-wallet.yml

@@ -56,7 +56,10 @@ jobs:
   build-release:
     needs: prepare
     if: ${{ (github.event_name == 'push' || github.event.inputs.target == 'release') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -66,7 +69,10 @@ jobs:
   build-nightly:
     needs: prepare
     if: ${{ (github.event_name == 'schedule' || github.event.inputs.target == 'nightly') && (github.event.inputs.force || needs.prepare.outputs.tag-commit-exists == 'false') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -76,15 +82,21 @@ jobs:
 
   build-lnpbp-tools-release:
     needs: build-release
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools
       target: release
 
   build-lnpbp-tools-nightly:
     needs: build-nightly
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools

.github/workflows/bp-node.yml

@@ -56,7 +56,10 @@ jobs:
   build-release:
     needs: prepare
     if: ${{ (github.event_name == 'push' || github.event.inputs.target == 'release') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -66,7 +69,10 @@ jobs:
   build-nightly:
     needs: prepare
     if: ${{ (github.event_name == 'schedule' || github.event.inputs.target == 'nightly') && (github.event.inputs.force || needs.prepare.outputs.tag-commit-exists == 'false') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -76,15 +82,21 @@ jobs:
 
   build-lnpbp-tools-release:
     needs: build-release
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools
       target: release
 
   build-lnpbp-tools-nightly:
     needs: build-nightly
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools

.github/workflows/faraday.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/faraday

.github/workflows/lightning-terminal.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lightning-terminal

.github/workflows/lnd.yml

@@ -56,7 +56,10 @@ jobs:
   build-release:
     needs: prepare
     if: ${{ (github.event_name == 'push' || github.event.inputs.target == 'release') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnd
@@ -65,7 +68,10 @@ jobs:
   build-nightly:
     needs: prepare
     if: ${{ github.event.inputs.force || ((github.event_name == 'schedule' || github.event.inputs.target == 'nightly') && needs.prepare.outputs.tag-commit-exists == 'false') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnd

.github/workflows/lndmon.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lndmon

.github/workflows/lnp-node.yml

@@ -56,7 +56,10 @@ jobs:
   build-release:
     needs: prepare
     if: ${{ (github.event_name == 'push' || github.event.inputs.target == 'release') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -66,7 +69,10 @@ jobs:
   build-nightly:
     needs: prepare
     if: ${{ (github.event_name == 'schedule' || github.event.inputs.target == 'nightly') && (github.event.inputs.force || needs.prepare.outputs.tag-commit-exists == 'false') }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted
@@ -76,15 +82,21 @@ jobs:
 
   build-lnpbp-tools-release:
     needs: build-release
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools
       target: release
 
   build-lnpbp-tools-nightly:
     needs: build-nightly
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools

.github/workflows/lnpbp-tools.yml

@@ -13,15 +13,21 @@ on:
 jobs:
   build-release:
     if: ${{ github.event.inputs.target == 'release' }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools
       target: release
 
   build-nightly:
     if: ${{ github.event.inputs.target == 'nightly' }}
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/lnpbp-tools

.github/workflows/loop.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/loop

.github/workflows/nostr-rs-relay.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted

.github/workflows/nostream.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       runs-on: self-hosted

.github/workflows/pool.yml

@@ -16,7 +16,10 @@ on:
 
 jobs:
   build:
-    uses: ./.github/workflows/bake.yml
+    uses: ./.github/workflows/bake.yml    
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     with:
       path: docker/pool