fix permissions

anthony-nhs · anthony-nhs · commit 1d13e9afbfe4 · 2026-02-18T22:39:07.000Z
diff --git a/.github/workflows/quality-checks-devcontainer.yml b/.github/workflows/quality-checks-devcontainer.yml
@@ -28,6 +28,10 @@ on:
 jobs:
   verify_runtime_image:
     uses: ./.github/workflows/verify-runtime-image.yml
+    permissions:
+      contents: read
+      packages: read
+      attestations: read
     with:
       runtime_docker_image: ${{ inputs.runtime_docker_image }}
 
diff --git a/.github/workflows/tag-release-devcontainer.yml b/.github/workflows/tag-release-devcontainer.yml
@@ -61,6 +61,10 @@ on:
 jobs:
     verify_runtime_image:
         uses: ./.github/workflows/verify-runtime-image.yml
+        permissions:
+            contents: read
+            packages: read
+            attestations: read
         with:
             runtime_docker_image: ${{ inputs.runtime_docker_image }}
             registry: ghcr.io
diff --git a/.github/workflows/verify-runtime-image.yml b/.github/workflows/verify-runtime-image.yml
@@ -82,10 +82,21 @@ jobs:
             - name: Verify provenance attestation
               shell: bash
               env:
-                  GH_TOKEN: ${{ github.token }}
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   PINNED_IMAGE: ${{ steps.resolve.outputs.pinned_image }}
                   OWNER: ${{ inputs.owner }}
               run: |
                   set -euo pipefail
-                  gh attestation verify "oci://${PINNED_IMAGE}" --owner "$OWNER"
+                  set +e
+                  VERIFY_OUTPUT="$(gh attestation verify "oci://${PINNED_IMAGE}" --owner "$OWNER" 2>&1)"
+                  VERIFY_STATUS=$?
+                  set -e
+
+                  if [[ $VERIFY_STATUS -ne 0 ]]; then
+                    echo "$VERIFY_OUTPUT" >&2
+                    echo "::error title=Attestation verification failed::If this is a reusable workflow call, ensure the caller job grants permissions: contents: read, packages: read, attestations: read."
+                    echo "::error title=Attestation verification failed::Also confirm --owner ('${OWNER}') matches the org/user that published the image attestations."
+                    exit 1
+                  fi
+
                   echo "Verified attestation for ${PINNED_IMAGE}"
