fix: add packages:write permission to attest job for cosign

mchmarny · mchmarny · commit 4632540bd710 · 2026-02-11T04:33:34.000-08:00
cosign attest pushes SBOM layers directly to GHCR, which requires
packages:write. The attestations:write permission only covers
GitHub's native attestation API.
diff --git a/.github/workflows/on-tag.yaml b/.github/workflows/on-tag.yaml
@@ -279,6 +279,7 @@ jobs:
     timeout-minutes: 10
     permissions:
       contents: read
+      packages: write
       id-token: write
       attestations: write
     steps:
