From 5c3c1a161650cf10b36382c0e7e03d66974fef2b Mon Sep 17 00:00:00 2001
From: tammy-baylis-swi <tammy.baylis@solarwinds.com>
Date: Wed, 28 Feb 2024 10:02:21 -0800
Subject: [PATCH] Add id-token permissions

---
 .github/workflows/build_publish_lambda_layer_aarch64.yaml   | 4 ++++
 .github/workflows/build_publish_pypi_and_draft_release.yaml | 4 ++++
 .github/workflows/build_publish_testpypi.yaml               | 4 ++++
 .github/workflows/verify_install.yaml                       | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/.github/workflows/build_publish_lambda_layer_aarch64.yaml b/.github/workflows/build_publish_lambda_layer_aarch64.yaml
index 69fef2cd..67ccec80 100644
--- a/.github/workflows/build_publish_lambda_layer_aarch64.yaml
+++ b/.github/workflows/build_publish_lambda_layer_aarch64.yaml
@@ -9,6 +9,10 @@ name: Publish APM Python lambda layer for aarch64
 on:
   workflow_call:
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   launch_arm64:
     name: Launch arm64 ec2 runners
diff --git a/.github/workflows/build_publish_pypi_and_draft_release.yaml b/.github/workflows/build_publish_pypi_and_draft_release.yaml
index 8a6f5b1a..9d8f0275 100644
--- a/.github/workflows/build_publish_pypi_and_draft_release.yaml
+++ b/.github/workflows/build_publish_pypi_and_draft_release.yaml
@@ -16,6 +16,10 @@ on:
 env:
   RELEASE_NAME: rel-${{ github.event.inputs.version }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   is_publishable:
     name: Check if version valid
diff --git a/.github/workflows/build_publish_testpypi.yaml b/.github/workflows/build_publish_testpypi.yaml
index b67ddc6f..3c3df019 100644
--- a/.github/workflows/build_publish_testpypi.yaml
+++ b/.github/workflows/build_publish_testpypi.yaml
@@ -9,6 +9,10 @@ name: Publish to TestPyPi
 on:
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build_publish_sdist_and_x86_64:
     name: Build and publish sdist and x86_64
diff --git a/.github/workflows/verify_install.yaml b/.github/workflows/verify_install.yaml
index 9ded22c9..2dd33490 100644
--- a/.github/workflows/verify_install.yaml
+++ b/.github/workflows/verify_install.yaml
@@ -30,6 +30,10 @@ env:
   SW_APM_SERVICE_KEY_PROD: ${{ secrets.SW_APM_SERVICE_KEY_PROD }}
   SW_APM_SERVICE_KEY_STAGING: ${{ secrets.SW_APM_SERVICE_KEY_STAGING }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   launch-arm64:
     runs-on: ubuntu-latest