From 583c95c7b9c81cbc16c63c01b7df2e8cff7de55e Mon Sep 17 00:00:00 2001 From: Juan Fernandez Date: Mon, 25 Aug 2025 17:08:36 -0400 Subject: [PATCH] Added missing permissions required for code-sign-windows (#32281) For #32007. Added missing attestation permission requirements. --- .github/workflows/build-fleetd-base-msi.yml | 3 ++- .github/workflows/code-sign-windows.yml | 2 +- .github/workflows/generate-desktop-targets.yml | 12 ++++++++++-- .github/workflows/goreleaser-orbit.yaml | 6 ++++-- .github/workflows/release-fleetd-base.yml | 5 +++++ 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-fleetd-base-msi.yml b/.github/workflows/build-fleetd-base-msi.yml index fa7e21424d..e772683d47 100644 --- a/.github/workflows/build-fleetd-base-msi.yml +++ b/.github/workflows/build-fleetd-base-msi.yml @@ -70,10 +70,11 @@ jobs: needs: build uses: ./.github/workflows/code-sign-windows.yml permissions: + contents: read id-token: write # required for attestations attestations: write # required for attestations with: - attest: "true" + attest: true filename: fleetd-base.msi upload_name: fleetd-base-msi secrets: diff --git a/.github/workflows/code-sign-windows.yml b/.github/workflows/code-sign-windows.yml index 0f5d8eab49..e7a3b1362a 100644 --- a/.github/workflows/code-sign-windows.yml +++ b/.github/workflows/code-sign-windows.yml @@ -98,7 +98,7 @@ jobs: shell: cmd - name: Attest binary - if: ${{ inputs.attest == 'true' }} + if: ${{ inputs.attest }} continue-on-error: true uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0 with: diff --git a/.github/workflows/generate-desktop-targets.yml b/.github/workflows/generate-desktop-targets.yml index 8b3f4675cd..6766fc1082 100644 --- a/.github/workflows/generate-desktop-targets.yml +++ b/.github/workflows/generate-desktop-targets.yml @@ -131,8 +131,12 @@ jobs: code-sign-windows: needs: desktop-windows uses: ./.github/workflows/code-sign-windows.yml + permissions: + contents: read + id-token: write # required for code-sign-windows + attestations: write # required for code-sign-windows with: - attest: "true" + attest: true filename: fleet-desktop.exe upload_name: fleet-desktop.exe secrets: @@ -173,8 +177,12 @@ jobs: code-sign-windows-arm64: needs: desktop-windows-arm64 uses: ./.github/workflows/code-sign-windows.yml + permissions: + contents: read + id-token: write # required for code-sign-windows + attestations: write # required for code-sign-windows with: - attest: "true" + attest: true filename: fleet-desktop.exe upload_name: fleet-desktop-arm64.exe download_name: unsigned-windows-arm64 diff --git a/.github/workflows/goreleaser-orbit.yaml b/.github/workflows/goreleaser-orbit.yaml index 35007083e1..fe5ef08da3 100644 --- a/.github/workflows/goreleaser-orbit.yaml +++ b/.github/workflows/goreleaser-orbit.yaml @@ -204,10 +204,11 @@ jobs: needs: goreleaser-windows uses: ./.github/workflows/code-sign-windows.yml permissions: + contents: read id-token: write # required for attestations attestations: write # required for attestations with: - attest: 'true' + attest: true filename: orbit.exe upload_name: orbit-windows secrets: @@ -257,10 +258,11 @@ jobs: needs: goreleaser-windows-arm64 uses: ./.github/workflows/code-sign-windows.yml permissions: + contents: read id-token: write # required for attestations attestations: write # required for attestations with: - attest: 'true' + attest: true filename: orbit.exe upload_name: orbit-windows-arm64 download_name: unsigned-windows-arm64 diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 2178be6fad..38840433b3 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -214,7 +214,12 @@ jobs: code-sign-windows: needs: build-fleetd-base-msi uses: ./.github/workflows/code-sign-windows.yml + permissions: + contents: read + id-token: write # required for code-sign-windows + attestations: write # required for code-sign-windows with: + attest: true filename: fleetd-base.msi upload_name: fleetd-base-msi secrets: