set minimal permissions for wokrflows

Signed-off-by: CrazyMax <[email protected]>

Author: crazy-max

.github/workflows/.test.yml

@@ -22,7 +22,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -56,7 +55,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -125,7 +123,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -158,7 +155,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
@@ -233,7 +229,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
@@ -254,7 +249,6 @@ jobs:
     uses: ./.github/workflows/build.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       output: ${{ github.event_name != 'pull_request' && 'local' || 'cacheonly' }}
@@ -274,7 +268,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
@@ -310,7 +303,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
@@ -346,7 +338,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
@@ -389,7 +380,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test
@@ -411,7 +401,6 @@ jobs:
     uses: ./.github/workflows/bake.yml
     permissions:
       contents: read
-      packages: write
       id-token: write
     with:
       context: test

.github/workflows/bake.yml

@@ -1,5 +1,8 @@
 name: bake
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -142,8 +145,6 @@ env:
 jobs:
   prepare:
     runs-on: ${{ inputs.runs-on || 'ubuntu-latest' }}
-    permissions:
-      contents: read
     outputs:
       includes: ${{ steps.set.outputs.includes }}
     steps:
@@ -259,10 +260,6 @@ jobs:
     runs-on: ${{ matrix.runs-on }}
     needs:
       - prepare
-    permissions:
-      contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     strategy:
       fail-fast: false
       matrix:
@@ -631,9 +628,6 @@ jobs:
 
   finalize:
     runs-on: ${{ inputs.runs-on || 'ubuntu-latest' }}
-    permissions:
-      contents: read
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     outputs:
       cosign-version: ${{ env.COSIGN_VERSION }}
       cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}

.github/workflows/build.yml

@@ -1,5 +1,8 @@
 name: build
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -144,10 +147,6 @@ jobs:
       cosign-verify-commands: ${{ steps.signing-attestation-manifests.outputs.verify-commands || steps.signing-local-artifacts.outputs.verify-commands }}
       artifact-name: ${{ inputs.artifact-name }}
       output-type: ${{ inputs.output }}
-    permissions:
-      contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     steps:
       -
         name: Docker meta

.github/workflows/verify.yml

@@ -1,5 +1,8 @@
 name: verify
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:

README.md

@@ -37,7 +37,6 @@ on:
     permissions:
       contents: read
       id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app
@@ -92,7 +91,6 @@ on:
     permissions:
       contents: read
       id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app