From abad6c181fab4e64eceede9a1d29c4d028e5a850 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Sun, 19 Nov 2023 00:31:20 +0100
Subject: [PATCH] ci: fix permissions for release pipeline to publish binaries
 (cherry-pick #7512) (#7621)

ci: fix permissions for release pipeline to publish binaries (#7512)

ci: fix permissions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>
---
 .github/workflows/ci-main.yml             | 2 ++
 .github/workflows/ci-outpost.yml          | 1 +
 .github/workflows/release-next-branch.yml | 1 +
 .github/workflows/release-publish.yml     | 5 +++++
 .github/workflows/repo-stale.yml          | 2 +-
 5 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
index 75f935636..35212732b 100644
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -186,6 +186,7 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:
@@ -233,6 +234,7 @@ jobs:
     needs: ci-core-mark
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
     steps:
diff --git a/.github/workflows/ci-outpost.yml b/.github/workflows/ci-outpost.yml
index e67353d16..47f387641 100644
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -65,6 +65,7 @@ jobs:
           - radius
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v3
diff --git a/.github/workflows/release-next-branch.yml b/.github/workflows/release-next-branch.yml
index 7a75a82a5..4485d80d1 100644
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -6,6 +6,7 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to be able to push to the next branch
   contents: write
 
 jobs:
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index c686840a5..e920e1480 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -8,6 +8,7 @@ jobs:
   build-server:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     steps:
       - uses: actions/checkout@v3
@@ -50,6 +51,7 @@ jobs:
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to upload contianer images to ghcr.io
       packages: write
     strategy:
       fail-fast: false
@@ -100,6 +102,9 @@ jobs:
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml
index c52997a33..c37659de3 100644
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -6,8 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
+  # Needed to update issues and PRs
   issues: write
-  pull-requests: write
 
 jobs:
   stale: