From 43c572c5eb1a02b54ab4dd2f70cbd49e17e233f0 Mon Sep 17 00:00:00 2001 From: Mario Apra Date: Fri, 10 Apr 2026 15:45:34 +0100 Subject: [PATCH] feat!: require artifact-metadata:write permission for attestations Add artifact-metadata:write to all Docker build and promote reusable workflows. This is required by the actions/attest-build-provenance action since GitHub made the permission GA in January 2026. BREAKING CHANGE: Caller workflows that set explicit permissions must add `artifact-metadata: write` to their permissions block. Without it, GitHub will reject the workflow with a validation error. --- .github/workflows/docker-build-push-dockerhub.yaml | 1 + .github/workflows/docker-build-push-jfrog.yaml | 1 + .github/workflows/docker-promote-dockerhub.yaml | 6 ++++++ .github/workflows/docker-promote-jfrog.yaml | 6 ++++++ 4 files changed, 14 insertions(+) diff --git a/.github/workflows/docker-build-push-dockerhub.yaml b/.github/workflows/docker-build-push-dockerhub.yaml index e1bed3a..51940e6 100644 --- a/.github/workflows/docker-build-push-dockerhub.yaml +++ b/.github/workflows/docker-build-push-dockerhub.yaml @@ -115,6 +115,7 @@ on: permissions: id-token: write attestations: write + artifact-metadata: write contents: read jobs: diff --git a/.github/workflows/docker-build-push-jfrog.yaml b/.github/workflows/docker-build-push-jfrog.yaml index cf9392c..30ebd52 100644 --- a/.github/workflows/docker-build-push-jfrog.yaml +++ b/.github/workflows/docker-build-push-jfrog.yaml @@ -119,6 +119,7 @@ on: permissions: id-token: write attestations: write + artifact-metadata: write contents: read jobs: diff --git a/.github/workflows/docker-promote-dockerhub.yaml b/.github/workflows/docker-promote-dockerhub.yaml index b9693bf..26f7657 100644 --- a/.github/workflows/docker-promote-dockerhub.yaml +++ b/.github/workflows/docker-promote-dockerhub.yaml @@ -33,6 +33,12 @@ on: description: "Docker Hub password" required: true +permissions: + id-token: write + attestations: write + artifact-metadata: write + contents: read + jobs: promote: name: Promote Docker image diff --git a/.github/workflows/docker-promote-jfrog.yaml b/.github/workflows/docker-promote-jfrog.yaml index a1708a1..c094fb0 100644 --- a/.github/workflows/docker-promote-jfrog.yaml +++ b/.github/workflows/docker-promote-jfrog.yaml @@ -40,6 +40,12 @@ on: required: false default: false +permissions: + id-token: write + attestations: write + artifact-metadata: write + contents: read + jobs: promote: name: Promote Docker image