Merge branch 'main' into dependabot/npm_and_yarn/npm-development-d185e289e1

2025-12-17 12:49:27 +00:00 · 2024-04-22 09:13:06 -07:00 · 2024-04-22 09:13:06 -07:00 · cbd145074f
commit cbd145074f
parent f677592a32 e9e8f489ae
2 changed files with 8 additions and 5 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -50,7 +50,8 @@ jobs:
    name: Test attest-provenance action
    runs-on: ubuntu-latest
    permissions:
-      contents: write
+      attestations: write
+      contents: read
      id-token: write

    steps:
--- a/README.md
+++ b/README.md
@ -29,11 +29,11 @@ attest:
   ```yaml
   permissions:
     id-token: write
-     contents: write # TODO: Update this
+     attestations: write
   ```

   The `id-token` permission gives the action the ability to mint the OIDC token
-   permission is necessary to persist the attestation. The `contents` permission
+   permission is necessary to persist the attestation. The `attestations` permission
   is necessary to persist the attestation.

 1. Add the following to your workflow after your artifact has been built:
@ -112,7 +112,8 @@ jobs:
  build:
    permissions:
      id-token: write
-      contents: write
+      contents: read
+      attestations: write

    steps:
      - name: Checkout
@ -166,7 +167,8 @@ jobs:
    permissions:
      id-token: write
      packages: write
-      contents: write
+      contents: read
+      attestations: write
    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ github.repository }}