Update GHA token permissions for generic container workflow (slsa-fra…

…mework#1258) Signed-off-by: Ian Lewis <ianlewis@google.com>
ianlewis · Nov 28, 2022 · 38f9f24 · 38f9f24
1 parent d60c716
commit 38f9f24
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 17 deletions.
diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml
@@ -14,6 +14,8 @@
 
 name: SLSA container image provenance
 
+permissions: {}
+
 env:
   # Generator
   BUILDER_BINARY: slsa-generator-container-linux-amd64 # Name of the binary in the release assets.
@@ -79,7 +81,6 @@ jobs:
     permissions:
       id-token: write # Needed to get OIDC token for keyless signing.
       actions: read # Needed to read workflow info.
-      packages: write # Needed to login and upload attestations to ghcr.io.
     steps:
       - name: Generate builder
         uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main

diff --git a/internal/builders/container/README.md b/internal/builders/container/README.md
@@ -19,6 +19,7 @@ project simply generates provenance as a separate step in an existing workflow.
 - [Generating Provenance](#generating-provenance)
   - [Getting Started](#getting-started)
   - [Referencing the SLSA generator](#referencing-the-slsa-generator)
+  - [GitHub Container Registry](#github-container-registry)
   - [Private Repositories](#private-repositories)
   - [Supported Triggers](#supported-triggers)
   - [Workflow Inputs](#workflow-inputs)
@@ -66,7 +67,6 @@ provenance:
   permissions:
     actions: read # for detecting the Github Actions environment.
     id-token: write # for creating OIDC tokens for signing.
-    packages: write # for uploading attestations.
   if: startsWith(github.ref, 'refs/tags/')
   # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Use a tagged release once we have one.
   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
@@ -77,7 +77,7 @@ provenance:
     # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
     compile-generator: true
   secrets:
-    registry-password: ${{ secrets.GITHUB_TOKEN }}
+    registry-password: ${{ secrets.PAT_TOKEN }}
 ```
 
 Here's an example of what it might look like all together.
@@ -92,7 +92,6 @@ jobs:
   build:
     permissions:
       contents: read
-      packages: write
     outputs:
       image: ${{ steps.image.outputs.image }}
       digest: ${{ steps.build.outputs.digest }}
@@ -109,7 +108,7 @@ jobs:
         with:
           registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ secrets.PAT_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
@@ -140,7 +139,6 @@ jobs:
     permissions:
       actions: read # for detecting the Github Actions environment.
       id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
     if: startsWith(github.ref, 'refs/tags/')
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
     with:
@@ -150,7 +148,7 @@ jobs:
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
       compile-generator: true
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.PAT_TOKEN }}
 ```
 
 ### Referencing the SLSA generator
@@ -160,6 +158,14 @@ by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it
 
 For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).
 
+### GitHub Container Registry
+
+In order to use the GitHub Container Registry (ghcr.io) you will need to
+authenticate using a
+[personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
+(PAT). The PAT must have at least `packages:write` permissions if using a
+classic PAT.
+
 ### Private Repositories
 
 Private repositories are supported with some caveats. Currently all builds
@@ -320,13 +326,13 @@ jobs:
 
 ```yaml
 steps:
-  [...]
+  # [...]
   - name: Run ko
     id: build
     env:
       KO_DOCKER_REPO: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}"
       KO_USER: ${{ github.actor }}
-      KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      KO_PASSWORD: ${{ secrets.PAT_TOKEN }}
       GIT_REF: ${{ github.ref }}
     run: |
       # get tag name without tags/refs/ prefix.
@@ -353,8 +359,6 @@ provenance:
   permissions:
     actions: read
     id-token: write
-    # contents: read
-    packages: write
   if: startsWith(github.ref, 'refs/tags/')
   # TODO: Update after GA
   # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.0
@@ -365,7 +369,7 @@ provenance:
     registry-username: ${{ github.actor }}
     compile-generator: true
   secrets:
-    registry-password: ${{ secrets.GITHUB_TOKEN }}
+    registry-password: ${{ secrets.PAT_TOKEN }}
 ```
 
 All together, it will look as the following:
@@ -375,7 +379,6 @@ jobs:
   build:
     permissions:
       contents: read
-      packages: write
     outputs:
       image: ${{ steps.build.outputs.image }}
       digest: ${{ steps.build.outputs.digest }}
@@ -396,7 +399,7 @@ jobs:
         env:
           KO_DOCKER_REPO: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}"
           KO_USER: ${{ github.actor }}
-          KO_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          KO_PASSWORD: ${{ secrets.PAT_TOKEN }}
           GIT_REF: ${{ github.ref }}
         run: |
           # get tag name without tags/refs/ prefix.
@@ -420,8 +423,6 @@ jobs:
     permissions:
       actions: read
       id-token: write
-      # contents: read
-      packages: write
     if: startsWith(github.ref, 'refs/tags/')
     # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.0
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
@@ -431,7 +432,7 @@ jobs:
       registry-username: ${{ github.actor }}
       compile-generator: true
     secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
+      registry-password: ${{ secrets.PAT_TOKEN }}
 ```
 
 ## Verification