From abc859a86b493762055b41360f6e28935b317bb2 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Mon, 6 Oct 2025 13:04:38 -0700
Subject: [PATCH] fix: worfklow permissions required for provenance generation

---
 .github/workflows/build_aarch64.yml      | 4 ++++
 .github/workflows/build_aarch64_test.yml | 4 ++++
 .github/workflows/build_x86_64.yml       | 4 ++++
 .github/workflows/build_x86_64_test.yml  | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/.github/workflows/build_aarch64.yml b/.github/workflows/build_aarch64.yml
index 0121a7ea..55db8b74 100644
--- a/.github/workflows/build_aarch64.yml
+++ b/.github/workflows/build_aarch64.yml
@@ -27,6 +27,10 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       arch: 'aarch64'
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_aarch64_test.yml b/.github/workflows/build_aarch64_test.yml
index 5c275f69..62d7d1fa 100644
--- a/.github/workflows/build_aarch64_test.yml
+++ b/.github/workflows/build_aarch64_test.yml
@@ -28,6 +28,10 @@ jobs:
     with:
       arch: 'aarch64'
       test_build: true
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_x86_64.yml b/.github/workflows/build_x86_64.yml
index 1e0e63c9..9bf580a0 100644
--- a/.github/workflows/build_x86_64.yml
+++ b/.github/workflows/build_x86_64.yml
@@ -27,6 +27,10 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       arch: 'x86_64'
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/build_x86_64_test.yml b/.github/workflows/build_x86_64_test.yml
index 6ef3e19c..5be84f6a 100644
--- a/.github/workflows/build_x86_64_test.yml
+++ b/.github/workflows/build_x86_64_test.yml
@@ -28,6 +28,10 @@ jobs:
     with:
       arch: 'x86_64'
       test_build: true
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     secrets:
       RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
       R2_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}