From 4b6ff68464c714e9f9f97bd7e7ec366c8b4e87bc Mon Sep 17 00:00:00 2001
From: WerWolv <werwolv98@gmail.com>
Date: Sat, 11 Jan 2025 16:28:29 +0100
Subject: [PATCH] git: Fixed CI permissions

---
 .github/workflows/build.yml | 40 +++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e636f58fe..be0f91b0f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,11 +18,18 @@ jobs:
   win:
     runs-on: windows-2022
     name: 🪟 Windows MINGW64
+
     defaults:
       run:
         shell: msys2 {0}
+
     env:
       CCACHE_DIR:      "${{ github.workspace }}/.ccache"
+
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
     - name: 🧰 Checkout
       uses: actions/checkout@v4
@@ -128,12 +135,16 @@ jobs:
   win-plugin-template-test:
     runs-on: windows-2022
     name: 🧪 Plugin Template Test
+
     defaults:
       run:
         shell: msys2 {0}
+
     needs: win
+
     env:
       IMHEX_SDK_PATH: "${{ github.workspace }}/out/sdk"
+
     steps:
       - name: 🧰 Checkout ImHex
         uses: actions/checkout@v4
@@ -182,6 +193,10 @@ jobs:
   macos:
     runs-on: macos-13
 
+    permissions:
+      id-token: write
+      attestations: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -338,8 +353,10 @@ jobs:
   macos-arm64-build:
     runs-on: ubuntu-24.04
     name: 🍎 macOS 13 arm64
+
     outputs:
       IMHEX_VERSION: ${{ steps.build.outputs.IMHEX_VERSION }}
+
     steps:
     - name: 🧰 Checkout
       uses: actions/checkout@v4
@@ -383,8 +400,14 @@ jobs:
     runs-on: macos-13
     name: 🍎 macOS 13 arm64 Packaging
     needs: macos-arm64-build
+
     env:
       IMHEX_VERSION: ${{ needs.macos-arm64-build.outputs.IMHEX_VERSION }}
+
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       - name: ⬇️ Download artifact
         uses: actions/download-artifact@v4
@@ -462,6 +485,10 @@ jobs:
       image: "ubuntu:${{ matrix.release_num }}"
       options: --privileged
 
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       - name: ⬇️ Install setup dependencies
         run: apt update && apt install -y git curl
@@ -539,6 +566,11 @@ jobs:
   appimage:
     runs-on: ubuntu-24.04
     name: ⬇️ AppImage
+
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       - name: 🧰 Checkout
         uses: actions/checkout@v4
@@ -592,6 +624,10 @@ jobs:
     container:
       image: archlinux:base-devel
 
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       - name: ⬇️ Update all packages
         run: |
@@ -719,6 +755,10 @@ jobs:
       image: "almalinux:9"
       options: --privileged --pid=host --security-opt apparmor=unconfined
 
+    permissions:
+      id-token: write
+      attestations: write
+
     steps:
       # This, together with the `--pid=host --security-opt apparmor=unconfined` docker options is required to allow
       # fedpkg to work inside a Docker container running on Ubuntu again.