From 0c8f3e0d0f9c9f7401c825dcaf2f8c7c508f859c Mon Sep 17 00:00:00 2001
From: valknarness <valknarness@pivoine.art>
Date: Fri, 7 Nov 2025 15:04:39 +0100
Subject: [PATCH] fix: add required permissions for GitHub Actions attestations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add id-token and attestations permissions to Docker workflow:
- id-token: write - Required for OIDC token generation
- attestations: write - Required for artifact attestations

Also add missing step ID to build-and-push step so attestation
step can reference the digest output.

Fixes: Error: Failed to get ID token: Unable to get
ACTIONS_ID_TOKEN_REQUEST_URL env variable

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/docker.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 5270a07..af3fa25 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -20,6 +20,8 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
+      attestations: write
 
     steps:
       - name: Checkout repository
@@ -51,6 +53,7 @@ jobs:
             type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v5
         with:
           context: .