Update README.md to refer to attestations permission (#37)

* Update README.md to refer to `attestations` permission * Update ci.yml * Update README.md Co-authored-by: Brian DeHamer <bdehamer@github.com> * Update README.md Co-authored-by: Brian DeHamer <bdehamer@github.com> * Update .github/workflows/ci.yml Co-authored-by: Brian DeHamer <bdehamer@github.com> --------- Co-authored-by: Brian DeHamer <bdehamer@github.com>
2024-04-15 14:52:46 -04:00
parent dc20ac4f5d
commit 6a7057735b
2 changed files with 8 additions and 5 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -50,7 +50,8 @@ jobs:
    name: Test attest action
    runs-on: ubuntu-latest
    permissions:
-      contents: write
+      contents: read
+      attestations: write
      id-token: write
    env:
      SUBJECT: /repos/${{ github.repository }}/tarball/${{ github.sha }}
--- a/README.md
+++ b/README.md
@@ -31,11 +31,11 @@ attest:
   ```yaml
   permissions:
     id-token: write
-     contents: write # TODO: Update this
+     attestations: write
   ```

   The `id-token` permission gives the action the ability to mint the OIDC token
-   necessary to request a Sigstore signing certificate. The `contents`
+   necessary to request a Sigstore signing certificate. The `attestations`
   permission is necessary to persist the attestation.

 1. Add the following to your workflow after your artifact has been built:
@@ -128,7 +128,8 @@ jobs:
  build:
    permissions:
      id-token: write
-      contents: write
+      contents: read
+      attestations: write

    steps:
      - name: Checkout
@@ -186,7 +187,8 @@ jobs:
    permissions:
      id-token: write
      packages: write
-      contents: write
+      contents: read
+      attestations: write
    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ github.repository }}