bug(ci): set id-token permissions (#223)

sethvargo · web-flow · commit 3a8622c06b9b · 2025-08-21T17:32:34.000Z
diff --git a/.github/workflows/gemini-dispatch.yml b/.github/workflows/gemini-dispatch.yml
@@ -108,8 +108,9 @@ jobs:
     uses: './.github/workflows/gemini-review.yml'
     permissions:
       contents: 'read'
-      pull-requests: 'write'
+      id-token: 'write'
       issues: 'write'
+      pull-requests: 'write'
     with:
       additional_context: '${{ needs.dispatch.outputs.additional_context }}'
     secrets: 'inherit'
@@ -121,6 +122,7 @@ jobs:
     uses: './.github/workflows/gemini-triage.yml'
     permissions:
       contents: 'read'
+      id-token: 'write'
       issues: 'write'
       pull-requests: 'write'
     with:
@@ -134,6 +136,7 @@ jobs:
     uses: './.github/workflows/gemini-invoke.yml'
     permissions:
       contents: 'read'
+      id-token: 'write'
       issues: 'write'
       pull-requests: 'write'
     with:
diff --git a/.github/workflows/gemini-invoke.yml b/.github/workflows/gemini-invoke.yml
@@ -21,6 +21,7 @@ jobs:
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'read'
+      id-token: 'write'
       issues: 'write'
       pull-requests: 'write'
     steps:
diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
@@ -22,8 +22,9 @@ jobs:
     timeout-minutes: 7
     permissions:
       contents: 'read'
-      pull-requests: 'write'
+      id-token: 'write'
       issues: 'write'
+      pull-requests: 'write'
     steps:
       - name: 'Mint identity token'
         id: 'mint_identity_token'
diff --git a/.github/workflows/gemini-triage.yml b/.github/workflows/gemini-triage.yml
@@ -25,6 +25,7 @@ jobs:
       selected_labels: '${{ env.SELECTED_LABELS }}'
     permissions:
       contents: 'read'
+      id-token: 'write'
       issues: 'read'
       pull-requests: 'read'
     steps:
