Github Actions CI needs id-token write permissions (#1682)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
nebari-dev · Mar 16, 2023 · 449d383 · 449d383
1 parent fd6fb64
commit 449d383
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/nebari/provider/cicd/github.py b/nebari/provider/cicd/github.py
@@ -171,6 +171,7 @@ class Config:
 class GHA_job_id(BaseModel):
     name: str
     runs_on_: str = Field(alias="runs-on")
+    permissions: Optional[Dict[str, str]]
     steps: List[GHA_job_step]
 
     class Config:
@@ -272,7 +273,15 @@ def gen_nebari_ops(config):
     for step in config["ci_cd"].get("after_script", []):
         gha_steps.append(GHA_job_step(**step))
 
-    job1 = GHA_job_id(name="nebari", runs_on_="ubuntu-latest", steps=gha_steps)
+    job1 = GHA_job_id(
+        name="nebari",
+        runs_on_="ubuntu-latest",
+        permissions={
+            "id-token": "write",
+            "contents": "read",
+        },
+        steps=gha_steps,
+    )
     jobs = GHA_jobs(__root__={"build": job1})
 
     return NebariOps(