Commit 006bcaf
authored
fix: reduce verify job packages permission to read-only (#73)
## Summary
The `verify` job in `docker-publish.yml` only inspects existing images
using `docker buildx imagetools inspect` — it never pushes. Reduces
`packages: write` to `packages: read` to satisfy least-privilege
(OSPS-AC-04.02).
All other job permissions were reviewed and are already correctly
scoped:
- `build-and-push`: needs `packages: write` + `id-token: write` +
`attestations: write` for pushing images and SLSA attestation
- `scan`: needs `security-events: write` for SARIF upload, `packages:
read` for pulling image
- `merge`: needs `contents: write` for git tag + GitHub Release,
`packages: write` for manifest creation
- `cleanup`: needs `packages: write` for deleting GHCR tags
- `pre-merge-cd-check`: needs `packages: write` for push/cleanup of PR
test images
## Test plan
- [ ] Pipeline passes on next merge to main
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com>
Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>1 parent 296880b commit 006bcaf
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
137 | 137 | | |
138 | 138 | | |
139 | 139 | | |
140 | | - | |
| 140 | + | |
141 | 141 | | |
142 | 142 | | |
143 | 143 | | |
| |||
0 commit comments