Current users need to set the exact same set of permissions used in our reusable workflows when calling it: https://github.com/docker/github-builder-experimental/blob/8e86ef337e3bb69616d52def17e764a14a827ef8/.github/workflows/build.yml#L143-L146
Like: https://github.com/tonistiigi/xx/pull/217/files#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R138-R141
That's because GitHub Actions currently does not allow a reusable workflow to raise its own permissions above what the caller provides then the caller must provide permissions ≥ these, otherwise the workflow is blocked for security reasons.
In our case we only want:
permissions:
contents: read
id-token: writeThe packages: write permissions is only necessary if user wants to push to GHCR.
It seems the only way to avoid this is to move the packages: write permission to the step requiring it and duplicate this one if user doesn't push to ghcr.
Current users need to set the exact same set of permissions used in our reusable workflows when calling it: https://github.com/docker/github-builder-experimental/blob/8e86ef337e3bb69616d52def17e764a14a827ef8/.github/workflows/build.yml#L143-L146
Like: https://github.com/tonistiigi/xx/pull/217/files#diff-5c3fa597431eda03ac3339ae6bf7f05e1a50d6fc7333679ec38e21b337cb6721R138-R141
That's because GitHub Actions currently does not allow a reusable workflow to raise its own permissions above what the caller provides then the caller must provide permissions ≥ these, otherwise the workflow is blocked for security reasons.
In our case we only want:
The
packages: writepermissions is only necessary if user wants to push to GHCR.It seems the only way to avoid this is to move the
packages: writepermission to the step requiring it and duplicate this one if user doesn't push to ghcr.