From ac0550bad6e5a66f07870bff01d423c5bb71df17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Vask=C3=B3?=
 <1771332+vlaci@users.noreply.github.com>
Date: Tue, 4 Feb 2025 11:34:21 +0100
Subject: [PATCH] ci: fix docker registry permission

The default permission of the job has been restricted, so we need to
opt-in for a higher permission level in the docker image builder job.

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
---
 .github/workflows/CI.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 3f27dac5d6..3fbee5f277 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -276,6 +276,11 @@ jobs:
     name: Build Docker image
     if: github.event_name == 'push' || contains(github.event.*.labels.*.name, 'dependencies')
     needs: [build_linux_wheels]
+    permissions:
+      # needed for sarif report upload
+      security-events: write
+      # needed for pushing to registry
+      packages: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -377,6 +382,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build-image
+    permissions:
+      # needed for pushing to registry
+      packages: write
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4