fix(btm-builder-image): drop id-token + attestations permissions

jdalton · jdalton · commit 10c3ef73c04d · 2026-05-29T02:23:55.000-04:00
GHA may startup_failure when a workflow requests `attestations: write`
or `id-token: write` permissions on a repo that doesn't have GitHub
Attestations / OIDC publishing enabled at the repo or org level.
Neither permission is required for the basic `docker push` to
ghcr.io (uses GITHUB_TOKEN via docker/login-action). Drop both
until sigstore-attestation integration is genuinely needed.
diff --git a/.github/workflows/btm-builder-image.yml b/.github/workflows/btm-builder-image.yml
@@ -39,8 +39,6 @@ jobs:
     permissions:
       contents: read
       packages: write
-      id-token: write
-      attestations: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 (2026-05-15)
