Skip to content

Commit 006bcaf

Browse files
authored
fix: reduce verify job packages permission to read-only (#73)
## Summary The `verify` job in `docker-publish.yml` only inspects existing images using `docker buildx imagetools inspect` — it never pushes. Reduces `packages: write` to `packages: read` to satisfy least-privilege (OSPS-AC-04.02). All other job permissions were reviewed and are already correctly scoped: - `build-and-push`: needs `packages: write` + `id-token: write` + `attestations: write` for pushing images and SLSA attestation - `scan`: needs `security-events: write` for SARIF upload, `packages: read` for pulling image - `merge`: needs `contents: write` for git tag + GitHub Release, `packages: write` for manifest creation - `cleanup`: needs `packages: write` for deleting GHCR tags - `pre-merge-cd-check`: needs `packages: write` for push/cleanup of PR test images ## Test plan - [ ] Pipeline passes on next merge to main 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>
1 parent 296880b commit 006bcaf

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

.github/workflows/docker-publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ jobs:
137137
if: needs.check-version.outputs.is-new-version == 'true'
138138
permissions:
139139
contents: read
140-
packages: write
140+
packages: read
141141

142142
outputs:
143143
amd64_digest: ${{ steps.check.outputs.amd64_digest }}

0 commit comments

Comments
 (0)