Generate provenance for container images

Signed-off-by: Stefan Prodan <[email protected]>
fluxcd · Jun 21, 2023 · 2d7f517 · 2d7f517
1 parent 8a822e1
commit 2d7f517
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -129,9 +129,9 @@ jobs:
   dockerhub-provenance:
     needs: [release]
     permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to the release.
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
       image: ${{ needs.release.outputs.image_url }}
@@ -143,9 +143,9 @@ jobs:
   ghcr-provenance:
     needs: [release]
     permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to the release.
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
       image: ghcr.io/${{ needs.release.outputs.image_url }}