From 28783601ff92e69ceac7e5cd240b19f45f2065fa Mon Sep 17 00:00:00 2001
From: Paul Rogers <129207811+paul1r@users.noreply.github.com>
Date: Wed, 30 Apr 2025 09:04:20 -0400
Subject: [PATCH] chore(ci): Add more oidc perms for image publishing jobs
 (#17523)

---
 .github/release-workflows.jsonnet |  4 ++++
 .github/workflows/images.yml      | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/.github/release-workflows.jsonnet b/.github/release-workflows.jsonnet
index 2b2f19b730..61c1aa9caf 100644
--- a/.github/release-workflows.jsonnet
+++ b/.github/release-workflows.jsonnet
@@ -247,6 +247,10 @@ local lambdaPromtailJob =
       ['%s-image' % name]:
         weeklyImageJobs[name]
         + job.withNeeds(['check'])
+        + job.withPermissions({
+          contents: 'read',
+          'id-token': 'write',
+        })
         + job.withEnv({
           BUILD_TIMEOUT: imageBuildTimeoutMin,
           RELEASE_REPO: 'grafana/loki',
diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml
index 948a0c1b90..96989ca4c9 100644
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@@ -116,6 +116,9 @@
       "image_digest_linux_arm64": "${{ steps.digest.outputs.digest_linux_arm64 }}"
       "image_name": "${{ steps.weekly-version.outputs.image_name }}"
       "image_tag": "${{ steps.weekly-version.outputs.image_version }}"
+    "permissions":
+      "contents": "read"
+      "id-token": "write"
     "runs-on": "${{ matrix.runs_on }}"
     "steps":
     - "name": "pull release library code"
@@ -236,6 +239,9 @@
       "image_digest_linux_arm64": "${{ steps.digest.outputs.digest_linux_arm64 }}"
       "image_name": "${{ steps.weekly-version.outputs.image_name }}"
       "image_tag": "${{ steps.weekly-version.outputs.image_version }}"
+    "permissions":
+      "contents": "read"
+      "id-token": "write"
     "runs-on": "${{ matrix.runs_on }}"
     "steps":
     - "name": "pull release library code"
@@ -356,6 +362,9 @@
       "image_digest_linux_arm64": "${{ steps.digest.outputs.digest_linux_arm64 }}"
       "image_name": "${{ steps.weekly-version.outputs.image_name }}"
       "image_tag": "${{ steps.weekly-version.outputs.image_version }}"
+    "permissions":
+      "contents": "read"
+      "id-token": "write"
     "runs-on": "${{ matrix.runs_on }}"
     "steps":
     - "name": "pull release library code"
@@ -476,6 +485,9 @@
       "image_digest_linux_arm64": "${{ steps.digest.outputs.digest_linux_arm64 }}"
       "image_name": "${{ steps.weekly-version.outputs.image_name }}"
       "image_tag": "${{ steps.weekly-version.outputs.image_version }}"
+    "permissions":
+      "contents": "read"
+      "id-token": "write"
     "runs-on": "${{ matrix.runs_on }}"
     "steps":
     - "name": "pull release library code"