From 1cf84497a9e6f6291fa6a002d04c619dd041876f Mon Sep 17 00:00:00 2001
From: Brett Hoerner <brett@bretthoerner.com>
Date: Wed, 7 Feb 2024 08:15:02 -0700
Subject: [PATCH] Configure Actions permissions for build runs

---
 .github/workflows/docker-capture.yml      | 5 +++++
 .github/workflows/docker-hook-api.yml     | 5 +++++
 .github/workflows/docker-hook-janitor.yml | 5 +++++
 .github/workflows/docker-hook-worker.yml  | 5 +++++
 .github/workflows/docker-migrator.yml     | 5 +++++
 5 files changed, 25 insertions(+)

diff --git a/.github/workflows/docker-capture.yml b/.github/workflows/docker-capture.yml
index c6d1865..4426828 100644
--- a/.github/workflows/docker-capture.yml
+++ b/.github/workflows/docker-capture.yml
@@ -13,6 +13,11 @@ jobs:
   build:
     name: build and publish capture image
     runs-on: buildjet-4vcpu-ubuntu-2204-arm
+    permissions:
+      id-token: write # allow issuing OIDC tokens for this workflow run
+      contents: read # allow reading the repo contents
+      packages: write # allow push to ghcr.io
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/docker-hook-api.yml b/.github/workflows/docker-hook-api.yml
index 0bf097c..4df1eb6 100644
--- a/.github/workflows/docker-hook-api.yml
+++ b/.github/workflows/docker-hook-api.yml
@@ -13,6 +13,11 @@ jobs:
   build:
     name: build and publish hook-api image
     runs-on: buildjet-4vcpu-ubuntu-2204-arm
+    permissions:
+      id-token: write # allow issuing OIDC tokens for this workflow run
+      contents: read # allow reading the repo contents
+      packages: write # allow push to ghcr.io
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/docker-hook-janitor.yml b/.github/workflows/docker-hook-janitor.yml
index 66b0eef..0894d45 100644
--- a/.github/workflows/docker-hook-janitor.yml
+++ b/.github/workflows/docker-hook-janitor.yml
@@ -13,6 +13,11 @@ jobs:
   build:
     name: build and publish hook-janitor image
     runs-on: buildjet-4vcpu-ubuntu-2204-arm
+    permissions:
+      id-token: write # allow issuing OIDC tokens for this workflow run
+      contents: read # allow reading the repo contents
+      packages: write # allow push to ghcr.io
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/docker-hook-worker.yml b/.github/workflows/docker-hook-worker.yml
index bb4998f..2568f5e 100644
--- a/.github/workflows/docker-hook-worker.yml
+++ b/.github/workflows/docker-hook-worker.yml
@@ -13,6 +13,11 @@ jobs:
   build:
     name: build and publish hook-worker image
     runs-on: buildjet-4vcpu-ubuntu-2204-arm
+    permissions:
+      id-token: write # allow issuing OIDC tokens for this workflow run
+      contents: read # allow reading the repo contents
+      packages: write # allow push to ghcr.io
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3
diff --git a/.github/workflows/docker-migrator.yml b/.github/workflows/docker-migrator.yml
index b6bfad6..250fe9b 100644
--- a/.github/workflows/docker-migrator.yml
+++ b/.github/workflows/docker-migrator.yml
@@ -13,6 +13,11 @@ jobs:
   build:
     name: build and publish hook-migrator image
     runs-on: buildjet-4vcpu-ubuntu-2204-arm
+    permissions:
+      id-token: write # allow issuing OIDC tokens for this workflow run
+      contents: read # allow reading the repo contents
+      packages: write # allow push to ghcr.io
+
     steps:
       - name: Check Out Repo
         uses: actions/checkout@v3