explicit permissions

Author: anthony-nhs

.github/workflows/build_all_images.yml

@@ -11,7 +11,11 @@ name: build_all_images
       NO_CACHE:
         required: true
         type: boolean
-permissions: {}
+permissions:
+  attestations: write
+  contents: read
+  packages: write
+  id-token: write
 jobs:
   discover_folders:
     runs-on: ubuntu-latest

.github/workflows/ci.yml

@@ -36,6 +36,11 @@ jobs:
     needs: 
       - tag_release
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: 'ci-${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: false

.github/workflows/pull_request.yml

@@ -81,6 +81,11 @@ jobs:
       - get_issue_number
       - get_commit_id
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: 'pr-${{ needs.get_issue_number.outputs.issue_number }}-${{ needs.get_commit_id.outputs.sha_short }}'
       tag_latest: false

.github/workflows/release.yml

@@ -39,6 +39,11 @@ jobs:
     needs: 
       - tag_release
     uses: ./.github/workflows/build_all_images.yml 
+    permissions:
+      attestations: write
+      contents: read
+      packages: write
+      id-token: write
     with: 
       docker_tag: '${{ needs.tag_release.outputs.version_tag }}'
       tag_latest: true