From 4c8402eb12a64eea5b95a11fb6780120eda7bb61 Mon Sep 17 00:00:00 2001
From: Yuuichi Asahi <y.asahi@nr.titech.ac.jp>
Date: Mon, 27 Jan 2025 19:32:45 +0900
Subject: [PATCH] add package write permission in CI

---
 .github/workflows/__build_base.yaml   | 3 +++
 .github/workflows/build_test.yaml     | 3 +++
 .github/workflows/pre_build_base.yaml | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/__build_base.yaml b/.github/workflows/__build_base.yaml
index f72234d5..f5b65679 100644
--- a/.github/workflows/__build_base.yaml
+++ b/.github/workflows/__build_base.yaml
@@ -31,6 +31,9 @@ env:
 jobs:
   build_base:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     strategy:
       matrix:
diff --git a/.github/workflows/build_test.yaml b/.github/workflows/build_test.yaml
index d3fbed1e..3e1521e5 100644
--- a/.github/workflows/build_test.yaml
+++ b/.github/workflows/build_test.yaml
@@ -44,6 +44,9 @@ jobs:
     if: ${{ needs.check_docker_files.outputs.docker_files_have_changed == 'true' }}
 
     uses: ./.github/workflows/__build_base.yaml
+    permissions:
+      contents: read
+      packages: write
 
     with:
       image_suffix: ${{ needs.check_docker_files.outputs.image_suffix }}
diff --git a/.github/workflows/pre_build_base.yaml b/.github/workflows/pre_build_base.yaml
index ad9b1cea..3b26f684 100644
--- a/.github/workflows/pre_build_base.yaml
+++ b/.github/workflows/pre_build_base.yaml
@@ -27,6 +27,10 @@ jobs:
   build_base:
     needs: check_docker_files
 
+    permissions:
+      contents: read
+      packages: write
+
     # run inconditionnaly on schedule or manual mode or if Docker files changed on other modes
     if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || needs.check_docker_files.outputs.docker_files_have_changed == 'true' }}