feat!: require artifact-metadata:write permission for attestations (#144)

derrix060 · web-flow · commit e7be9b531cf2 · 2026-04-10T15:45:57.000+01:00
Add artifact-metadata:write to all Docker build and promote reusable
workflows. This is required by the actions/attest-build-provenance
action since GitHub made the permission GA in January 2026.

BREAKING CHANGE: Caller workflows that set explicit permissions must
add `artifact-metadata: write` to their permissions block. Without it,
GitHub will reject the workflow with a validation error.
diff --git a/.github/workflows/docker-build-push-dockerhub.yaml b/.github/workflows/docker-build-push-dockerhub.yaml
@@ -115,6 +115,7 @@ on:
 permissions:
   id-token: write
   attestations: write
+  artifact-metadata: write
   contents: read
 
 jobs:
diff --git a/.github/workflows/docker-build-push-jfrog.yaml b/.github/workflows/docker-build-push-jfrog.yaml
@@ -119,6 +119,7 @@ on:
 permissions:
   id-token: write
   attestations: write
+  artifact-metadata: write
   contents: read
 
 jobs:
diff --git a/.github/workflows/docker-promote-dockerhub.yaml b/.github/workflows/docker-promote-dockerhub.yaml
@@ -33,6 +33,12 @@ on:
         description: "Docker Hub password"
         required: true
 
+permissions:
+  id-token: write
+  attestations: write
+  artifact-metadata: write
+  contents: read
+
 jobs:
   promote:
     name: Promote Docker image
diff --git a/.github/workflows/docker-promote-jfrog.yaml b/.github/workflows/docker-promote-jfrog.yaml
@@ -40,6 +40,12 @@ on:
         required: false
         default: false
 
+permissions:
+  id-token: write
+  attestations: write
+  artifact-metadata: write
+  contents: read
+
 jobs:
   promote:
     name: Promote Docker image
