ci: fix docker registry permission

vlaci · vlaci · commit ac0550bad6e5 · 2025-02-04T18:08:58.000+01:00
The default permission of the job has been restricted, so we need to opt-in for a higher permission level in the docker image builder job. https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -276,6 +276,11 @@ jobs:
     name: Build Docker image
     if: github.event_name == 'push' || contains(github.event.*.labels.*.name, 'dependencies')
     needs: [build_linux_wheels]
+    permissions:
+      # needed for sarif report upload
+      security-events: write
+      # needed for pushing to registry
+      packages: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -377,6 +382,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build-image
+    permissions:
+      # needed for pushing to registry
+      packages: write
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4
