diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 5b28367..822d1a9 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -49,9 +49,9 @@ jobs: needs: get_config_values uses: ./.github/workflows/tag-release-devcontainer.yml permissions: - packages: read id-token: write contents: write + packages: write with: dry_run: true pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b95dfc..e1322de 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: permissions: id-token: write contents: write + packages: write with: dry_run: false pinned_image: ${{ needs.get_config_values.outputs.pinned_image }} diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml index eeaa87a..a99c7da 100644 --- a/.github/workflows/tag-release-devcontainer.yml +++ b/.github/workflows/tag-release-devcontainer.yml @@ -86,6 +86,7 @@ jobs: permissions: id-token: "write" contents: "write" + packages: "write" runs-on: ubuntu-22.04 container: image: ${{ inputs.pinned_image }} diff --git a/README.md b/README.md index 13270b9..f6290d9 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,10 @@ jobs: tag_release: uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@f5c8313a10855d0cc911db6a9cd666494c00045a needs: [get_config_values] + permissions: + id-token: write + contents: write + packages: write with: tag_format: "v\\${version}-beta" dry_run: true diff --git a/zizmor.yml b/zizmor.yml index e427669..2c176dc 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -14,4 +14,4 @@ rules: artipacked: ignore: # this is ignored as its based on using an input to the workflow - - tag-release-devcontainer.yml:114:15 + - tag-release-devcontainer.yml:115:15