From cacf1b5d8bccd16a8c2381fbd0912715a78a22c2 Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@defenseunicorns.com>
Date: Wed, 17 Jul 2024 15:49:06 -0600
Subject: [PATCH] fix(ci): workflow permissions

---
 .github/workflows/pull-request-conditionals.yaml | 1 +
 .github/workflows/test.yaml                      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml
index 7d942961a..081d210f6 100644
--- a/.github/workflows/pull-request-conditionals.yaml
+++ b/.github/workflows/pull-request-conditionals.yaml
@@ -11,6 +11,7 @@ permissions:
   id-token: write # Needed for OIDC-related operations.
   contents: read # Allows reading the content of the repository.
   pull-requests: read # Allows reading pull request metadata.
+  packages: read # Allows reading the published GHCR packages
 
 # Default settings for all run commands in the workflow jobs.
 defaults:
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 5cf31d631..ebfb38396 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -35,6 +35,7 @@ on:
 permissions:
   contents: read
   id-token: write  # This is needed for OIDC federation.
+  packages: read # Allows reading the published GHCR packages
 
 jobs:
   test: