chore: bump bitcoind and dogecoind to debian13 and update job permissions on release workflows (#90)

Co-authored-by: klemenfn <102049210+klemenfn@users.noreply.github.com>

Author: gallindic-flare

.github/workflows/release-bitcoind.yml

@@ -7,9 +7,29 @@ on:
     branches: [main]
     paths: ["images/bitcoind/**"]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   call:
     uses: ./.github/workflows/release-image.yml
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      issues: read
+      models: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      artifact-metadata: read
+      packages: write
+      id-token: write
+      attestations: write
     with:
       image: ghcr.io/${{ github.repository }}/bitcoind
       context: images/bitcoind

.github/workflows/release-dogecoind.yml

@@ -7,9 +7,29 @@ on:
     branches: [main]
     paths: ["images/dogecoind/**"]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   call:
     uses: ./.github/workflows/release-image.yml
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      issues: read
+      models: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      artifact-metadata: read
+      packages: write
+      id-token: write
+      attestations: write
     with:
       image: ghcr.io/${{ github.repository }}/dogecoind
       context: images/dogecoind

.github/workflows/release-rippled.yml

@@ -7,9 +7,29 @@ on:
     branches: [main]
     paths: ["images/rippled/**"]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   call:
     uses: ./.github/workflows/release-image.yml
+    permissions:
+      actions: read
+      checks: read
+      contents: read
+      deployments: read
+      discussions: read
+      issues: read
+      models: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      artifact-metadata: read
+      packages: write
+      id-token: write
+      attestations: write
     with:
       image: ghcr.io/${{ github.repository }}/rippled
       context: images/rippled

images/bitcoind/Dockerfile

@@ -33,7 +33,7 @@ EOF
 
 RUN mkdir -p /opt/bitcoin/.bitcoin/db
 
-FROM gcr.io/distroless/cc-debian12:nonroot@sha256:189bd2ce1f7750193c2c10220d9201ba38c11e30fbb75b036606829fadbc81b1 as final
+FROM gcr.io/distroless/cc-debian13:nonroot@sha256:4cf9e68a5cbd8c9623480b41d5ed6052f028c44cc29f91b21590613ab8bec824 as final
 
 ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"
 

images/dogecoind/Dockerfile

@@ -42,7 +42,7 @@ RUN <<-EOF
     mkdir -p /opt/dogecoin/.dogecoin/db
 EOF
 
-FROM gcr.io/distroless/cc-debian12:nonroot@sha256:d1b8e4c52be1111aa108e959ef2a822299bb70fd1819dd250871a2601ca1e4b6 as final
+FROM gcr.io/distroless/cc-debian13:nonroot@sha256:4cf9e68a5cbd8c9623480b41d5ed6052f028c44cc29f91b21590613ab8bec824 as final
 
 ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"