Reduced scope of id-token acquisition permission (#459)

In accordance with the [GitHub Blog Post](https://github.blog/changelog/2023-06-15-github-actions-securing-openid-connect-oidc-token-permissions-in-reusable-workflows), the permission for acquiring an id token from GitHub ``` permissions: id-token: write ``` has been moved from the workflow context to the job requiring it for logging into Azure using federated authentication
ThorstenSauter · Jun 18, 2023 · f71f825 · f71f825
1 parent a5a32ae
commit f71f825
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -7,10 +7,6 @@ on:
 
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
-
 env:
   IMAGE_NAME: ${{ vars.REGISTRY_NAME }}.azurecr.io/${{ vars.IMAGE_NAME }}:${{ github.event.release.tag_name }}
 
@@ -19,6 +15,9 @@ jobs:
     name: Promote container image for production
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      contents: read
+      id-token: write
     env:
       SOURCE_IMAGE_NAME: ${{ vars.REGISTRY_NAME }}.azurecr.io/${{ vars.IMAGE_NAME }}:${{ github.sha }}
       TARGET_IMAGE_NAME: ${{ vars.IMAGE_NAME }}:${{ github.event.release.tag_name }}