|
30 | 30 |
|
31 | 31 | permissions:
|
32 | 32 | contents:read
|
33 |
| -packages:write |
34 |
| -pull-requests:write# needed for commenting on PRs |
35 | 33 |
|
36 | 34 | jobs:
|
37 | 35 | check_pr:
|
@@ -171,6 +169,8 @@ jobs:
|
171 | 169 | needs:get_info
|
172 | 170 | if:needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
|
173 | 171 | runs-on:"ubuntu-latest"
|
| 172 | +permissions: |
| 173 | +pull-requests:write# needed for commenting on PRs |
174 | 174 | steps:
|
175 | 175 | -name:Harden Runner
|
176 | 176 | uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
|
@@ -205,6 +205,9 @@ jobs:
|
205 | 205 | # Run build job only if there are changes in the files that we care about or if the workflow is manually triggered with --build flag
|
206 | 206 | if:needs.get_info.outputs.BUILD == 'true'
|
207 | 207 | runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
|
| 208 | +permissions: |
| 209 | +# Necessary to push docker images to ghcr.io. |
| 210 | +packages:write |
208 | 211 | # This concurrency only cancels build jobs if a new build is triggred. It will avoid cancelling the current deployemtn in case of docs chnages.
|
209 | 212 | concurrency:
|
210 | 213 | group:build-${{ github.workflow }}-${{ github.ref }}-${{ needs.get_info.outputs.BUILD }}
|
|