Use more restrictive permissions on the GitHub token.
Signed-off-by: Tim 'mithro' Ansell <tansell@google.com>
diff --git a/.github/workflows/build-docker-image-run-drc-for-cell-gds-using-magic.yml b/.github/workflows/build-docker-image-run-drc-for-cell-gds-using-magic.yml
index 62a48b5..119c69b 100644
--- a/.github/workflows/build-docker-image-run-drc-for-cell-gds-using-magic.yml
+++ b/.github/workflows/build-docker-image-run-drc-for-cell-gds-using-magic.yml
@@ -21,7 +21,13 @@
push:
pull_request_target:
+
+permissions:
+ contents: read
+
+
jobs:
+
# FIXME: Remove once GitHub Container Registry is working.
# docker.pkg.github.com doesn't support buildx built packages, use
# docker/build-push-action instead.
@@ -30,6 +36,9 @@
runs-on: ubuntu-latest
+ permissions:
+ packages: write # ${{ github.event_name == "push" || github.event_name == "workflow_dispatch" }}
+
steps:
- name: Checkout code
uses: actions/checkout@v2