Merge pull request #16264 from miodvallat/backport-16169-to-auth-4.9.x

rgacogne · web-flow · commit a050f798bf8c · 2025-10-15T10:03:05.000+02:00
auth: backport "build-docker-images-tags: Grant enough permissions to sign images" to 4.9.x
diff --git a/.github/workflows/build-docker-images-tags.yml b/.github/workflows/build-docker-images-tags.yml
@@ -11,6 +11,9 @@ on:
 permissions:
   actions: read
   contents: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   prepare:
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -8,6 +8,9 @@ on:
 permissions: # least privileges, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
   contents: read
   actions: read
+  # This is used to complete the identity challenge
+  # with sigstore/fulcio when running outside of PRs.
+  id-token: write
 
 jobs:
   call-build-image-auth:
