git: Fixed CI permissions

2025-02-02 04:17:56 +01:00 · 2025-01-11 16:28:29 +01:00 · 2025-01-11 16:28:29 +01:00 · 4b6ff68464
commit 4b6ff68464
parent b23a0febb5
1 changed files with 40 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -18,11 +18,18 @@ jobs:
  win:
    runs-on: windows-2022
    name: 🪟 Windows MINGW64
+
    defaults:
      run:
        shell: msys2 {0}
+
    env:
      CCACHE_DIR:      "${{ github.workspace }}/.ccache"
+
+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
    - name: 🧰 Checkout
      uses: actions/checkout@v4
@ -128,12 +135,16 @@ jobs:
  win-plugin-template-test:
    runs-on: windows-2022
    name: 🧪 Plugin Template Test
+
    defaults:
      run:
        shell: msys2 {0}
+
    needs: win
+
    env:
      IMHEX_SDK_PATH: "${{ github.workspace }}/out/sdk"
+
    steps:
      - name: 🧰 Checkout ImHex
        uses: actions/checkout@v4
@ -182,6 +193,10 @@ jobs:
  macos:
    runs-on: macos-13

+    permissions:
+      id-token: write
+      attestations: write
+
    strategy:
      fail-fast: false
      matrix:
@ -338,8 +353,10 @@ jobs:
  macos-arm64-build:
    runs-on: ubuntu-24.04
    name: 🍎 macOS 13 arm64
+
    outputs:
      IMHEX_VERSION: ${{ steps.build.outputs.IMHEX_VERSION }}
+
    steps:
    - name: 🧰 Checkout
      uses: actions/checkout@v4
@ -383,8 +400,14 @@ jobs:
    runs-on: macos-13
    name: 🍎 macOS 13 arm64 Packaging
    needs: macos-arm64-build
+
    env:
      IMHEX_VERSION: ${{ needs.macos-arm64-build.outputs.IMHEX_VERSION }}
+
+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
      - name: ⬇️ Download artifact
        uses: actions/download-artifact@v4
@ -462,6 +485,10 @@ jobs:
      image: "ubuntu:${{ matrix.release_num }}"
      options: --privileged

+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
      - name: ⬇️ Install setup dependencies
        run: apt update && apt install -y git curl
@ -539,6 +566,11 @@ jobs:
  appimage:
    runs-on: ubuntu-24.04
    name: ⬇️ AppImage
+
+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
      - name: 🧰 Checkout
        uses: actions/checkout@v4
@ -592,6 +624,10 @@ jobs:
    container:
      image: archlinux:base-devel

+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
      - name: ⬇️ Update all packages
        run: |
@ -719,6 +755,10 @@ jobs:
      image: "almalinux:9"
      options: --privileged --pid=host --security-opt apparmor=unconfined

+    permissions:
+      id-token: write
+      attestations: write
+
    steps:
      # This, together with the `--pid=host --security-opt apparmor=unconfined` docker options is required to allow
      # fedpkg to work inside a Docker container running on Ubuntu again.