From af3af620cd99c6ae7f3e398a05272f829d09e345 Mon Sep 17 00:00:00 2001
From: Thuan Vo <thvo@redhat.com>
Date: Fri, 25 Aug 2023 16:51:06 -0700
Subject: [PATCH] ci(push-image): explicitly specify package:write permission

Signed-off-by: Thuan Vo <thvo@redhat.com>
---
 .github/workflows/pr-ci.yml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml
index 2fcd7f1212..ecdb09f438 100644
--- a/.github/workflows/pr-ci.yml
+++ b/.github/workflows/pr-ci.yml
@@ -13,6 +13,8 @@ jobs:
   check-before-build:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test')
+    permissions:
+      pull-requests: write
     steps:
     - name: Fail if needs-triage label applied 
       if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }}
@@ -46,10 +48,6 @@ jobs:
   checkout-branch: 
     runs-on: ubuntu-latest
     needs: [check-before-build]
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
     outputs: 
       PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }}
       PR_head_sha: ${{ fromJSON(steps.comment-branch.outputs.result).sha }}
@@ -87,15 +85,18 @@ jobs:
 
   push-to-ghcr:
     runs-on: ubuntu-latest
+    needs: [build-and-test, checkout-branch]
     strategy:
       matrix:
         arch: [amd64, arm64]
     outputs: 
       amd64_image: ${{ steps.amd64_image.outputs.image }}
       arm64_image: ${{ steps.arm64_image.outputs.image }}
-    needs: [build-and-test, checkout-branch]
     env:
       head_sha: ${{ needs.checkout-branch.outputs.PR_head_sha }}
+    permissions:
+      packages: write
+      actions: read
     steps:
     - uses: actions/download-artifact@v3
       with: