From 307fe31f6c6ffd5de60ebbec94042b6482240457 Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Tue, 8 Apr 2025 13:12:05 +0100
Subject: [PATCH 1/2] fix(ci): Update container

---
 .github/workflows/container.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index badacb2..d56d24a 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -17,11 +17,6 @@ on:
         type: string
         default: "${{ github.repository }}"
 
-      signing:
-        description: "Sign the image"
-        type: string
-        default: "false"
-
       publish:
         description: "Publish the image to the registry"
         type: string
@@ -108,4 +103,3 @@ jobs:
       container-file: ${{ inputs.container-file }}
       container-name: ${{ inputs.container-name }}
       sbom: ${{ inputs.sbom }}
-      signing: ${{ inputs.signing }}

From 5c5f1bd449e0db9a6f6b06817e3ac8a66cd729c4 Mon Sep 17 00:00:00 2001
From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com>
Date: Tue, 8 Apr 2025 13:32:26 +0100
Subject: [PATCH 2/2] feat: Update container permissions

---
 .github/workflows/container.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index d56d24a..1b071eb 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -52,6 +52,10 @@ jobs:
       release: ${{ steps.set-version.outputs.release }}
       version: ${{ steps.set-version.outputs.version }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
@@ -87,6 +91,11 @@ jobs:
     uses: advanced-security/reusable-workflows/.github/workflows/container-security.yml@main
     needs: set-version
     secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      packages: read           # Read Container Registry
+      security-events: write   # Code Scanning
     with:
       version: ${{ needs.set-version.outputs.version }}
       container-file: ${{ inputs.container-file }}
@@ -98,6 +107,11 @@ jobs:
     needs: [ scan-image, set-version ]
     if: ${{ needs.set-version.outputs.release == 'true' }}
     secrets: inherit
+    permissions:
+      id-token: write
+      contents: write          # Upload SBOM to GitHub
+      packages: write          # Push to Container Registry
+      attestations: write      # Upload attestations
     with:
       version: ${{ needs.set-version.outputs.version }}
       container-file: ${{ inputs.container-file }}