From 323a62d7b9da1a2901385c1455cd67fecfa9198d Mon Sep 17 00:00:00 2001
From: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Date: Thu, 2 Dec 2021 18:13:27 +0200
Subject: [PATCH] Add permissions

Limit the scope of GITHUB_TOKEN to only have write access to packages
and read access to metadata. By default it seems to be granted access
equal to that of the github.actor that triggered the workflow, which
may include access to more than the workflow needs.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
---
 .github/workflows/build-test-images.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml
index a1a2a5901..edccdbf1d 100644
--- a/.github/workflows/build-test-images.yml
+++ b/.github/workflows/build-test-images.yml
@@ -19,6 +19,9 @@ on:
         required: true
         default: westeurope
 
+permissions:
+  packages: write
+
 env:
   AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUB_ID }}
   DEFAULT_ADMIN_USERNAME: azureuser