ci: add `id-token` permission and update the signing command (#5016)

author: Mohammed Al Sahaf <msaa1990@gmail.com> 2022-09-05 23:57:27 +0300
committer: GitHub <noreply@github.com> 2022-09-05 20:57:27 +0000
commit: 0499d9c1c4177503c4a3d8d6bffd5d44e5edd430 (patch)
tree: 119bee2a5549a2736d47190d42a441b2f33e7640 /.github
parent: 5dfa08174ae3af34f10f0c1b5ca69b12a0ec7395 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d67f875..8ab9488 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,6 +20,12 @@ jobs:
           GO_SEMVER: '~1.19.0'
 
     runs-on: ${{ matrix.os }}
+    # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+    permissions:
+      id-token: write
+      # https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
+      contents: read
 
     steps:
     - name: Install Go
author	Mohammed Al Sahaf <msaa1990@gmail.com>	2022-09-05 23:57:27 +0300
committer	GitHub <noreply@github.com>	2022-09-05 20:57:27 +0000
commit	0499d9c1c4177503c4a3d8d6bffd5d44e5edd430 (patch)
tree	119bee2a5549a2736d47190d42a441b2f33e7640 /.github
parent	5dfa08174ae3af34f10f0c1b5ca69b12a0ec7395 (diff)