ci: fix docker registry permission

The default permission of the job has been restricted, so we need to opt-in for a higher permission level in the docker image builder job. https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
onekey-sec · Feb 4, 2025 · ac0550b · ac0550b
1 parent 3a7c6a1
commit ac0550b
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
@@ -276,6 +276,11 @@ jobs:
     name: Build Docker image
     if: github.event_name == 'push' || contains(github.event.*.labels.*.name, 'dependencies')
     needs: [build_linux_wheels]
+    permissions:
+      # needed for sarif report upload
+      security-events: write
+      # needed for pushing to registry
+      packages: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -377,6 +382,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - build-image
+    permissions:
+      # needed for pushing to registry
+      packages: write
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4