chore(ci): fix security scans

.github/workflows/dockerimage.yml

@@ -8,6 +8,9 @@ on:
     - '*'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-24.04
@@ -37,7 +40,9 @@ jobs:
     name: Build, ${{ matrix.architecture }}
     strategy:
       matrix:
-        architecture: [linux/arm/v7, linux/arm64]
+        architecture:
+        - linux/arm/v7
+        - linux/arm64
     env:
       MATRIX_ARCHITECTURE: ${{ matrix.architecture }}
     steps:
@@ -90,7 +95,8 @@ jobs:
   anchore:
     runs-on: ubuntu-24.04
     name: Anchore Container Scan, ${{ matrix.architecture }}
-    needs: [build]
+    needs:
+    - build
     permissions:
       security-events: write
     strategy:
@@ -132,7 +138,10 @@ jobs:
   trivy:
     runs-on: ubuntu-24.04
     name: Trivy Container Scan, ${{ matrix.architecture }}
-    needs: [build]
+    needs:
+    - build
+    permissions:
+      security-events: write
     strategy:
       matrix:
         architecture: [linux/amd64]
@@ -177,7 +186,11 @@ jobs:
   push_dockerhub:
     runs-on: ubuntu-24.04
     name: Publish to Docker Hub
-    needs: [test, anchore, trivy, buildx]
+    needs:
+    - test
+    - buildx
+    - anchore
+    - trivy
     if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}
     steps:
     - name: Checkout
@@ -216,7 +229,13 @@ jobs:
   push_github:
     runs-on: ubuntu-24.04
     name: Publish to GitHub
-    needs: [test, anchore, trivy, buildx]
+    permissions:
+      packages: write
+    needs:
+    - test
+    - buildx
+    - anchore
+    - trivy
     if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }}
     env:
       DOCKER_IMAGE: ghcr.io/weblateorg/locale_lint