Explicitly set GITHUB_TOKEN permissions for yocto workflow

Changelog-entry: Explicitly set GITHUB_TOKEN permissions for yocto workflow Signed-off-by: Ryan Cooke <[email protected]>
balena-os · Dec 9, 2024 · aaa6b88 · aaa6b88
1 parent 4774129
commit aaa6b88
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.github/workflows/radxa-cm3-io-rk3566.yml b/.github/workflows/radxa-cm3-io-rk3566.yml
@@ -31,6 +31,12 @@ on:
         type: string
         default: balena-staging.com
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto: