tibiadata · tobiasehlert · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,12 +13,6 @@ on:
     types: [published]
   workflow_dispatch:
 
-permissions:
-  attestations: write
-  contents: read
-  id-token: write
-  packages: write
-
 concurrency:
   group: build-${{ github.workflow }}-${{ github.ref }}
 
@@ -28,6 +22,12 @@ jobs:
     runs-on: ${{ matrix.runner }}
     if: github.event_name != 'pull_request'
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -131,6 +131,12 @@ jobs:
     needs:
       - build
 
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+
     outputs:
       docker_build_digest: ${{ steps.docker_build.outputs.digest }}
       docker_meta_version: ${{ steps.docker_meta.outputs.version }}
@@ -242,25 +248,26 @@ jobs:
           docker buildx imagetools inspect ghcr.io/${{ github.repository }}:${{ steps.docker_meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64") }}'
           echo "::endgroup::"
 
-      # - name: Verify cosign signatures
-      #   run: |
-      #     echo "::group::Verify signature (DockerHub)"
-      #     cosign verify --rekor-url https://rekor.sigstore.dev \
-      #       --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
-      #       --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-      #       ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
-      #     echo "::endgroup::"
-
-      #     echo "::group::Verify signature (GitHub Container Registry)"
-      #     cosign verify --rekor-url https://rekor.sigstore.dev \
-      #       --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
-      #       --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-      #       ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
-      #     echo "::endgroup::"
+      - name: Verify cosign signatures
+        run: |
+          echo "::group::Verify signature (DockerHub)"
+          cosign verify \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
+          echo "::endgroup::"
+
+          echo "::group::Verify signature (GitHub Container Registry)"
+          cosign verify \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ghcr.io/${{ github.repository }}@${{ steps.docker_build.outputs.digest }}
+          echo "::endgroup::"
 
   argocd:
     if: github.event_name == 'release' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
     runs-on: ubuntu-latest
+    permissions: {}
     needs:
       - build
       - manifest