Skip to content

Commit 8fc7090

Browse files
crazy-maxcrazy-max
authored
Merge pull request #49 from docker/perms
remove permissions block in reusable workflows
2 parents c56377b + 838a5ad commit 8fc7090

File tree

4 files changed

+7
-44
lines changed

4 files changed

+7
-44
lines changed

.github/workflows/.test.yml

Lines changed: 3 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
permissions:
8-
contents: read
9-
107
on:
118
workflow_dispatch:
129
push:
@@ -22,7 +19,6 @@ jobs:
2219
uses: ./.github/workflows/build.yml
2320
permissions:
2421
contents: read
25-
packages: write
2622
id-token: write
2723
with:
2824
output: image
@@ -57,7 +53,6 @@ jobs:
5753
uses: ./.github/workflows/build.yml
5854
permissions:
5955
contents: read
60-
packages: write
6156
id-token: write
6257
with:
6358
output: image
@@ -94,8 +89,8 @@ jobs:
9489
uses: ./.github/workflows/build.yml
9590
permissions:
9691
contents: read
97-
packages: write
9892
id-token: write
93+
packages: write
9994
with:
10095
output: image
10196
push: ${{ github.event_name != 'pull_request' }}
@@ -128,7 +123,6 @@ jobs:
128123
uses: ./.github/workflows/build.yml
129124
permissions:
130125
contents: read
131-
packages: write
132126
id-token: write
133127
with:
134128
output: image
@@ -162,7 +156,6 @@ jobs:
162156
uses: ./.github/workflows/build.yml
163157
permissions:
164158
contents: read
165-
packages: write
166159
id-token: write
167160
with:
168161
output: image
@@ -197,8 +190,8 @@ jobs:
197190
uses: ./.github/workflows/build.yml
198191
permissions:
199192
contents: read
200-
packages: write
201193
id-token: write
194+
packages: write
202195
with:
203196
output: image
204197
push: ${{ github.event_name != 'pull_request' }}
@@ -239,7 +232,6 @@ jobs:
239232
uses: ./.github/workflows/build.yml
240233
permissions:
241234
contents: read
242-
packages: write
243235
id-token: write
244236
with:
245237
output: local
@@ -261,7 +253,6 @@ jobs:
261253
uses: ./.github/workflows/build.yml
262254
permissions:
263255
contents: read
264-
packages: write
265256
id-token: write
266257
with:
267258
output: local
@@ -282,7 +273,6 @@ jobs:
282273
uses: ./.github/workflows/build.yml
283274
permissions:
284275
contents: read
285-
packages: write
286276
id-token: write
287277
with:
288278
runner: amd64
@@ -298,7 +288,6 @@ jobs:
298288
uses: ./.github/workflows/bake.yml
299289
permissions:
300290
contents: read
301-
packages: write
302291
id-token: write
303292
with:
304293
context: test
@@ -335,7 +324,6 @@ jobs:
335324
uses: ./.github/workflows/bake.yml
336325
permissions:
337326
contents: read
338-
packages: write
339327
id-token: write
340328
with:
341329
context: test
@@ -372,8 +360,8 @@ jobs:
372360
uses: ./.github/workflows/bake.yml
373361
permissions:
374362
contents: read
375-
packages: write
376363
id-token: write
364+
packages: write
377365
with:
378366
context: test
379367
target: hello-cross
@@ -416,7 +404,6 @@ jobs:
416404
uses: ./.github/workflows/bake.yml
417405
permissions:
418406
contents: read
419-
packages: write
420407
id-token: write
421408
with:
422409
context: test
@@ -439,7 +426,6 @@ jobs:
439426
uses: ./.github/workflows/bake.yml
440427
permissions:
441428
contents: read
442-
packages: write
443429
id-token: write
444430
with:
445431
context: test
@@ -462,7 +448,6 @@ jobs:
462448
uses: ./.github/workflows/bake.yml
463449
permissions:
464450
contents: read
465-
packages: write
466451
id-token: write
467452
with:
468453
runner: amd64

.github/workflows/bake.yml

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -149,8 +149,6 @@ env:
149149
jobs:
150150
prepare:
151151
runs-on: ubuntu-24.04
152-
permissions:
153-
contents: read
154152
outputs:
155153
includes: ${{ steps.set.outputs.includes }}
156154
steps:
@@ -273,10 +271,6 @@ jobs:
273271
runs-on: ${{ matrix.runner }}
274272
needs:
275273
- prepare
276-
permissions:
277-
contents: read
278-
id-token: write # for signing attestation manifests and/or registry authentication with GitHub OIDC Token
279-
packages: write # for pushing manifests to GHCR if needed
280274
strategy:
281275
fail-fast: false
282276
matrix:
@@ -657,10 +651,6 @@ jobs:
657651
658652
finalize:
659653
runs-on: ubuntu-24.04
660-
permissions:
661-
contents: read
662-
id-token: write # for registry authentication with OIDC if needed
663-
packages: write # for pushing to GHCR when merging manifests if needed
664654
outputs:
665655
cosign-version: ${{ env.COSIGN_VERSION }}
666656
cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}

.github/workflows/build.yml

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -160,8 +160,6 @@ env:
160160
jobs:
161161
prepare:
162162
runs-on: ubuntu-24.04
163-
permissions:
164-
contents: read
165163
outputs:
166164
includes: ${{ steps.set.outputs.includes }}
167165
steps:
@@ -227,10 +225,6 @@ jobs:
227225
runs-on: ${{ matrix.runner }}
228226
needs:
229227
- prepare
230-
permissions:
231-
contents: read
232-
id-token: write # for signing attestation manifests and/or registry authentication with GitHub OIDC Token
233-
packages: write # for pushing manifests to GHCR if needed
234228
strategy:
235229
fail-fast: false
236230
matrix:
@@ -551,10 +545,6 @@ jobs:
551545
552546
finalize:
553547
runs-on: ubuntu-24.04
554-
permissions:
555-
contents: read
556-
id-token: write # for registry authentication with OIDC if needed
557-
packages: write # for pushing to GHCR when merging manifests if needed
558548
outputs:
559549
cosign-version: ${{ env.COSIGN_VERSION }}
560550
cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}

README.md

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,8 @@ on:
3535
build:
3636
uses: docker/github-builder-experimental/.github/workflows/build.yml@main
3737
permissions:
38-
contents: read
39-
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
40-
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
38+
contents: read # to fetch the repository content
39+
id-token: write # for signing attestation manifests with GitHub OIDC Token
4140
with:
4241
output: image
4342
push: ${{ github.event_name != 'pull_request' }}
@@ -91,9 +90,8 @@ on:
9190
bake:
9291
uses: docker/github-builder-experimental/.github/workflows/bake.yml@main
9392
permissions:
94-
contents: read
95-
id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
96-
packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
93+
contents: read # to fetch the repository content
94+
id-token: write # for signing attestation manifests with GitHub OIDC Token
9795
with:
9896
output: image
9997
push: ${{ github.event_name != 'pull_request' }}

0 commit comments

Comments
 (0)