github: workflows: Adjust permissions to make efficient package/integration tests

[cosmo0920]

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• Example configuration file for the change
• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Chores
  • CI workflow: granted identity-token write permission to the container build job while retaining existing repository and package permissions.
  • CI workflow: granted package read permission to the integration test job to allow registry/package access during integration runs.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two CI workflow jobs were updated: pr-container-builds now includes permissions.id-token: write, and pr-integration-test-run-integration now includes permissions.packages: read. No other workflow triggers or jobs were modified.

Changes

Job permissions change

Layer / File(s)	Summary
pr-container-builds: add id-token .github/workflows/pr-package-tests.yaml	Adds id-token: write to the pr-container-builds job permissions block (keeps contents: read, packages: write).
pr-integration-test: add packages read .github/workflows/pr-integration-test.yaml	Adds packages: read to the pr-integration-test-run-integration job permissions block (keeps contents: read).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fluent/fluent-bit#11820: Also edits .github/workflows/pr-package-tests.yaml to adjust pr-container-builds job permissions.
• fluent/fluent-bit#11533: Related changes to workflow job permissions for integration tests and package access.

Suggested labels

docs-required

Suggested reviewers

• niedbalski
• patrick-stephens
• celalettin1286

Poem

🐰 I nibble through the CI night,
permissions set, the tokens bright.
Packages read and id-tokens flow,
builds hop forward—on we go!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately reflects the main change: adjusting workflow permissions for package and integration tests, with specific focus on adding id-token write permission and packages read access.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch comso0920-revive-package-test-with-efficient-privileges

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}