From 05823680f3225b33098f2367f9ddfbd98dfbd58e Mon Sep 17 00:00:00 2001
From: Otto Bittner <cobittner@posteo.net>
Date: Mon, 27 Feb 2023 10:49:52 +0100
Subject: [PATCH] ci: fix release pipeline (#1253)

* add pull-request permission to docs job
* readd permission for micro-services step
* run checkout action before building
* allow crane to read packages
---
 .github/workflows/release.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 57d4dc6c4..8f0ae1d3b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
     needs: verify-inputs
     permissions:
       contents: write
+      pull-requests: write
     env:
       VERSION: ${{ inputs.version }}
       MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
@@ -118,6 +119,9 @@ jobs:
     name: Build micro services
     runs-on: ubuntu-22.04
     needs: [verify-inputs, prepare-release-branch]
+    permissions:
+      contents: read
+      packages: write
     strategy:
       matrix:
         koTarget:
@@ -169,6 +173,11 @@ jobs:
           - appName: libvirt
             dockerfile: ./cli/internal/libvirt/Dockerfile
     steps:
+      - name: Checkout
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        with:
+          ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
+
       - name: Build docker image
         uses: ./.github/actions/build_micro_service
         with:
@@ -187,6 +196,7 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       contents: write
+      packages: read
     env:
       VERSION: ${{ inputs.version }}
       WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
@@ -261,7 +271,7 @@ jobs:
 
   update-hardcoded-measurements:
     name: Update hardcoded measurements (in the CLI)
-    needs: [verify-inputs]
+    needs: [verify-inputs, os-image]
     permissions:
       contents: write
     runs-on: ubuntu-22.04