Update CI contents permission to write; add SBOM note to README

xenago · xenago · commit 910285dee622 · 2024-06-05T11:39:52.000-04:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -12,11 +12,11 @@ jobs:
     # https://github.com/actions/runner-images
     runs-on: ubuntu-24.04
 
-    # Required for attestation
+    # Required for attestation and release
     permissions:
-      id-token: write
-      contents: read
-      attestations: write
+      id-token: write  # attestation requires `write`
+      contents: write  # release requires `write`, attestation requires at least `read`
+      attestations: write  # attestation requires `write`
 
     steps:
 
diff --git a/README.md b/README.md
@@ -386,9 +386,11 @@ Commands are not passed through a shell for execution. Although it is possible t
 with `libnss_shim`, using a shell is not recommended as this comes with additional risks such as command injection.
 
 To verify artifact attestations for official releases build with GitHub Actions, the [GitHub CLI](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli)
-can be used. Note that this is not available for versions `<=1.2.0`. Example command:
+can be used (available for versions `>=1.2.1`). Example command:
 
-    gh attestation verify /set/the/path/to/libnss_shim.deb -R xenago/libnss_shim
+    gh attestation verify /path/to/libnss_shim.deb -R xenago/libnss_shim
+
+SBOM artifacts are produced in CI for each build.
 
 Please report problems by creating GitHub Issues or [private advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
 
diff --git a/changelog/CHANGELOG.txt b/changelog/CHANGELOG.txt
@@ -2,6 +2,7 @@
 - Add note to README about script permissions for users (`group`/`passwd` OK public, `shadow` best private)
 - Add advanced example with scripts for each function and a Dockerfile
 - Migrate to a single configurable build script with CPU architecture detection
+- Explicitly set `contents` permission to `write` in CI
 - From this release onwards, deb packages will have a `-1` version suffix to match RPM
 - Bump `cargo-deb` to `2.2.0`
 - Bump ubuntu build container to `24.04`
