diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index b0b2abb..793d49e 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -7,6 +7,9 @@ jobs: if: ${{ github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch' || github.event.pull_request.draft == false }} + permissions: + contents: read + packages: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OPERATOR_PRIVATE_KEY: ${{ secrets.OPERATOR_PRIVATE_KEY }} diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml index 108399d..4d693dc 100644 --- a/.github/workflows/nix.yaml +++ b/.github/workflows/nix.yaml @@ -63,6 +63,9 @@ jobs: runs-on: ${{ matrix.runner }} needs: - setup-packages-jobs + permissions: + contents: read + packages: write strategy: fail-fast: false matrix: diff --git a/modules/devenv/integrations/github/nix.nix b/modules/devenv/integrations/github/nix.nix index eb6b4c3..dccf414 100644 --- a/modules/devenv/integrations/github/nix.nix +++ b/modules/devenv/integrations/github/nix.nix @@ -132,6 +132,10 @@ in needs = [ "setup-packages-jobs" ]; "if" = "\${{ needs['setup-packages-jobs'].outputs.continue == 'true' }}"; runs-on = "\${{ matrix.runner }}"; + permissions = { + contents = "read"; + packages = "write"; + }; strategy = { fail-fast = false; matrix.include = "\${{ fromJSON(needs['setup-packages-jobs'].outputs.matrix) }}"; @@ -283,6 +287,10 @@ in "if" = "\${{ github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch' || github.event.pull_request.draft == false }}"; uses = "./.github/workflows/nix.yaml"; + permissions = { + contents = "read"; + packages = "write"; + }; secrets = { OPERATOR_PRIVATE_KEY = "\${{ secrets.OPERATOR_PRIVATE_KEY }}"; CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}";