fix permissions for registry auth through OIDC

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

Author: crazy-max

.github/workflows/bake.yml

@@ -261,8 +261,8 @@ jobs:
       - prepare
     permissions:
       contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for signing attestation manifests and/or registry authentication with GitHub OIDC Token
+      packages: write # for pushing manifests to GHCR if needed
     strategy:
       fail-fast: false
       matrix:
@@ -633,7 +633,8 @@ jobs:
     runs-on: ${{ inputs.runs-on || 'ubuntu-latest' }}
     permissions:
       contents: read
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for registry authentication with OIDC if needed
+      packages: write # for pushing to GHCR when merging manifests if needed
     outputs:
       cosign-version: ${{ env.COSIGN_VERSION }}
       cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}

.github/workflows/build.yml

@@ -215,8 +215,8 @@ jobs:
       - prepare
     permissions:
       contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for signing attestation manifests and/or registry authentication with GitHub OIDC Token
+      packages: write # for pushing manifests to GHCR if needed
     strategy:
       fail-fast: false
       matrix:
@@ -524,7 +524,8 @@ jobs:
     runs-on: ${{ inputs.runs-on || 'ubuntu-latest' }}
     permissions:
       contents: read
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for registry authentication with OIDC if needed
+      packages: write # for pushing to GHCR when merging manifests if needed
     outputs:
       cosign-version: ${{ env.COSIGN_VERSION }}
       cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }}

README.md

@@ -36,8 +36,8 @@ on:
     uses: docker/github-builder-experimental/.github/workflows/build.yml@main
     permissions:
       contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
+      packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app
@@ -91,8 +91,8 @@ on:
     uses: docker/github-builder-experimental/.github/workflows/bake.yml@main
     permissions:
       contents: read
-      id-token: write # for signing attestation manifests with GitHub OIDC Token
-      packages: write # only used if pushing to GHCR but needs to be defined as caller must provide permissions ≥ to those used in the reusable workflow
+      id-token: write # for signing attestation manifests and registry authentication if needed with GitHub OIDC Token
+      packages: write # for pushing manifests to GHCR if needed (caller must provide the same permissions used in the reusable workflow)
     with:
       output: ${{ github.event_name != 'pull_request' && 'registry' || 'cacheonly' }}
       meta-images: name/app