ci(push-image): explicitly specify package:write permission

Signed-off-by: Thuan Vo <thvo@redhat.com>
cryostatio · Aug 26, 2023 · af3af62 · af3af62
1 parent 2d191af
commit af3af62
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml
@@ -13,6 +13,8 @@ jobs:
   check-before-build:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test')
+    permissions:
+      pull-requests: write
     steps:
     - name: Fail if needs-triage label applied 
       if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }}
@@ -46,10 +48,6 @@ jobs:
   checkout-branch: 
     runs-on: ubuntu-latest
     needs: [check-before-build]
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     outputs: 
       PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }}
       PR_head_sha: ${{ fromJSON(steps.comment-branch.outputs.result).sha }}
@@ -87,15 +85,18 @@ jobs:
 
   push-to-ghcr:
     runs-on: ubuntu-latest
+    needs: [build-and-test, checkout-branch]
     strategy:
       matrix:
         arch: [amd64, arm64]
     outputs: 
       amd64_image: ${{ steps.amd64_image.outputs.image }}
       arm64_image: ${{ steps.arm64_image.outputs.image }}
-    needs: [build-and-test, checkout-branch]
     env:
       head_sha: ${{ needs.checkout-branch.outputs.PR_head_sha }}
+    permissions:
+      packages: write
+      actions: read
     steps:
     - uses: actions/download-artifact@v3
       with: