From f361ec281e9b9f5c010c0fdbef293920cdb7f2a6 Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 11:40:06 +0000
Subject: [PATCH] ci(migrate-sboms-to-oci): pin contents: read

The migration job uses OCI_S3_ACCESS_KEY + OCI_S3_SECRET_KEY to push
to OCI buckets via the AWS-compatible S3 API. The default GITHUB_TOKEN
is only used for the checkout step.

Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/migrate-sboms-to-oci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/migrate-sboms-to-oci.yml b/.github/workflows/migrate-sboms-to-oci.yml
index 19359333..119b2f6d 100644
--- a/.github/workflows/migrate-sboms-to-oci.yml
+++ b/.github/workflows/migrate-sboms-to-oci.yml
@@ -7,6 +7,11 @@ concurrency:
   group: migrate-sboms
   cancel-in-progress: false
 
+# OCI S3 push uses OCI_S3_ACCESS_KEY + OCI_S3_SECRET_KEY; default
+# GITHUB_TOKEN only needs read for the checkout.
+permissions:
+  contents: read
+
 jobs:
   migrate:
     runs-on: ubuntu-latest