From 731fcccfd98e84946b39dd5d2b14300738ffadfb Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 8 May 2026 15:54:45 +1000
Subject: [PATCH 1/2] UID2-6764: grant id-token and attestations write for SLSA
 provenance

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-public-operator-docker-image.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml
index 9c2898ce0..ebe68c495 100644
--- a/.github/workflows/publish-public-operator-docker-image.yaml
+++ b/.github/workflows/publish-public-operator-docker-image.yaml
@@ -61,6 +61,9 @@ jobs:
     name: Image
     uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3
     needs: check_major
+    permissions:
+      id-token: write
+      attestations: write
     with:
       release_type: ${{ inputs.release_type }}
       version_number_input: ${{ inputs.version_number_input }}

From 7dda79d2148397856e40f8c1fa1a2dbef8cc6f08 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 8 May 2026 15:58:08 +1000
Subject: [PATCH 2/2] UID2-6764: also grant the implicit defaults the publish
 job relied on

Reusable workflows take the intersection of caller and callee permissions.
Adding only id-token + attestations would have stripped the contents/
packages/security-events/pull-requests writes that the existing publish
implicitly inherited from the workflow default, breaking the build.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-public-operator-docker-image.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/publish-public-operator-docker-image.yaml b/.github/workflows/publish-public-operator-docker-image.yaml
index ebe68c495..9a83fa40a 100644
--- a/.github/workflows/publish-public-operator-docker-image.yaml
+++ b/.github/workflows/publish-public-operator-docker-image.yaml
@@ -62,6 +62,10 @@ jobs:
     uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v3
     needs: check_major
     permissions:
+      contents: write
+      security-events: write
+      packages: write
+      pull-requests: write
       id-token: write
       attestations: write
     with: