diff --git a/.github/workflows/rebase.yaml b/.github/workflows/rebase.yaml index 36a6de42..75d3ab54 100644 --- a/.github/workflows/rebase.yaml +++ b/.github/workflows/rebase.yaml @@ -12,6 +12,8 @@ jobs: rebase: if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') runs-on: ubuntu-latest + permissions: + contents: write # needed to force push steps: - name: Harden Runner uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml index c2e4fa20..ae2f606c 100644 --- a/.github/workflows/release-chart.yaml +++ b/.github/workflows/release-chart.yaml @@ -11,8 +11,8 @@ jobs: release: runs-on: ubuntu-latest permissions: - packages: write - id-token: write + packages: write # Needed to publish chart to ghcr.io + id-token: write # Needed for keyless signing steps: - name: Harden Runner uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5f7da88c..cac30dd4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,15 +4,16 @@ on: tags: - 'v*' -permissions: - contents: write # needed to write releases - id-token: write # needed for keyless signing - packages: write # needed for ghcr access +permissions: {} jobs: build: name: Build runs-on: ubuntu-latest + permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed for ghcr access steps: - name: Harden Runner uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1