fix: remove artifact-metadata:write from reusable workflows

derrix060 · derrix060 · commit f96d8ee8db39 · 2026-04-10T15:42:26.000+01:00
Reusable workflows cannot request permissions that callers don't grant
— GitHub fails with a validation error. Removing artifact-metadata:write
from the reusable workflows avoids breaking existing callers.

The permission remains in the example files so callers can adopt it at
their own pace.
diff --git a/.github/workflows/docker-build-push-dockerhub.yaml b/.github/workflows/docker-build-push-dockerhub.yaml
@@ -115,7 +115,6 @@ on:
 permissions:
   id-token: write
   attestations: write
-  artifact-metadata: write
   contents: read
 
 jobs:
diff --git a/.github/workflows/docker-build-push-jfrog.yaml b/.github/workflows/docker-build-push-jfrog.yaml
@@ -119,7 +119,6 @@ on:
 permissions:
   id-token: write
   attestations: write
-  artifact-metadata: write
   contents: read
 
 jobs:
diff --git a/.github/workflows/docker-promote-dockerhub.yaml b/.github/workflows/docker-promote-dockerhub.yaml
@@ -33,12 +33,6 @@ on:
         description: "Docker Hub password"
         required: true
 
-permissions:
-  id-token: write
-  attestations: write
-  artifact-metadata: write
-  contents: read
-
 jobs:
   promote:
     name: Promote Docker image
diff --git a/.github/workflows/docker-promote-jfrog.yaml b/.github/workflows/docker-promote-jfrog.yaml
@@ -40,12 +40,6 @@ on:
         required: false
         default: false
 
-permissions:
-  id-token: write
-  attestations: write
-  artifact-metadata: write
-  contents: read
-
 jobs:
   promote:
     name: Promote Docker image
