Grant OIDC token permissions to GCP jobs

anth-volk · anth-volk · commit 7e8299378085 · 2026-04-27T23:39:43.000+02:00
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -52,6 +52,9 @@ jobs:
   test_env_vars:
     name: Test environment variables
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
@@ -84,6 +87,9 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     needs: test_env_vars
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -115,6 +115,9 @@ jobs:
       (github.repository == 'PolicyEngine/policyengine-api')
       && (github.event.head_commit.message == 'Update PolicyEngine API')
     environment: staging
+    permissions:
+      contents: read
+      id-token: write
     outputs:
       version: ${{ steps.version.outputs.version }}
       url: ${{ steps.version_url.outputs.url }}
@@ -231,6 +234,9 @@ jobs:
       (github.repository == 'PolicyEngine/policyengine-api')
       && (github.event.head_commit.message == 'Update PolicyEngine API')
     environment: production
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
