From 6b2590ceb789d5c4019f605801ca04fe2dd3bcdf Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Thu, 18 Jan 2024 15:05:26 -0800
Subject: [PATCH] Audit the permissions on workflows.

This reduces the digestabot permissions to reflect the use of a PAT, and adds explicit permissions to the release workflow.

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 .github/workflows/digestabot.yaml | 4 +---
 .github/workflows/release.yml     | 4 ++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
index eac45ce5..9ffeddb0 100644
--- a/.github/workflows/digestabot.yaml
+++ b/.github/workflows/digestabot.yaml
@@ -11,9 +11,7 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
+      id-token: write # Used for gitsign
 
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 37d05b73..510606e5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,8 +3,12 @@ on:
   push:
     tags:
       - 'v*'
+
 jobs:
   goreleaser:
+    permissions:
+      contents: write # To publish the release.
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4