From 5049da589903918d91d8e6131036a67af0b89f1d Mon Sep 17 00:00:00 2001
From: immutable-art <138187673+immutable-art@users.noreply.github.com>
Date: Thu, 17 Oct 2024 08:15:59 +1100
Subject: [PATCH] [ITSEC-2280] Update token permissions (#248)

* ITSEC-2280 Add Dependency Review job; Add SBOM signing.

* ITSEC-2280 Update CODEOWNERS to include Product Security on .github

* ITSEC-2280: Fix the dependency review action

Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com>

* ITSEC-2280 Update permissions for GH attestations

Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com>

---------

Signed-off-by: immutable-art <138187673+immutable-art@users.noreply.github.com>
---
 .github/workflows/publish.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index e3dddef3..3ed332d1 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -10,7 +10,8 @@ jobs:
     name: Publish to NPM
     runs-on: ubuntu-latest
     permissions:
-      attestations: write
+      id-token: write # Required for GitHub Attestation
+      attestations: write # Required for GitHub Attestation
     steps:
       - name: Checkout
         uses: actions/checkout@v2