Add permissions

.github/workflows/build-and-test.yaml

@@ -146,6 +146,13 @@ jobs:
 
   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+      attestations: write
     needs:
     - build
     if: ${{ github.event_name != 'pull_request' }}

.github/workflows/docker-scan.yml

@@ -12,7 +12,7 @@ permissions:
 
 jobs:
   wait-for-build:
-    name: Wait for build
+    name: Wait for deploy
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -26,11 +26,11 @@ jobs:
             index.rubygems.org:443
             rubygems.org:443
 
-      - name: Wait for build
+      - name: Wait for deploy
         uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79  # v1.4.0
         with:
           ref: ${{ github.ref }}
-          check-name: 'build'
+          check-name: 'deploy'
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           wait-interval: 15
           allowed-conclusions: success,skipped
@@ -46,19 +46,7 @@ jobs:
         name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: block
+          egress-policy: audit
-          allowed-endpoints: >
-            api.github.com:443
-            auth.docker.io:443
-            files.pythonhosted.org:443
-            github.com:443
-            grype.anchore.io:443
-            objects.githubusercontent.com:443
-            production.cloudflare.docker.com:443
-            pypi.org:443
-            raw.githubusercontent.com:443
-            registry-1.docker.io:443
-            release-assets.githubusercontent.com:443
       -
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1