ci: add id-token permissions to ci workflows (#3873)

BobbieGoede · web-flow · commit 9f62ed88c663 · 2025-11-08T11:27:19.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,8 @@
 ---
 name: CI
 
+permissions: {}
+
 env:
   CI: true
 
@@ -130,6 +132,8 @@ jobs:
       - build
       - test
     runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
     strategy:
       matrix:
         node-version: [lts/*]
diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
@@ -1,4 +1,7 @@
 name: nightly release
+
+permissions: {}
+
 on:
   push:
     branches:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Release
 
+permissions:
+  id-token: write
+  contents: write
+
 # trigger by `git tag` push only via `yarn release`
 on:
   push:
diff --git a/.github/workflows/reproduire.yml b/.github/workflows/reproduire.yml
@@ -1,10 +1,12 @@
 name: Reproduire
+
+permissions:
+  issues: write
+
 on:
   issues:
     types: [labeled]
 
-permissions:
-  issues: write
 
 jobs:
   reproduire:
