From 3c94a1e2edbcd2ecc270f135e0c8cac16927abab Mon Sep 17 00:00:00 2001
From: Mark Slowey <mark.slowey1@nhs.net>
Date: Tue, 23 Dec 2025 14:33:36 +0000
Subject: [PATCH] update static deploy workflow permissions

---
 .github/workflows/pr_closed.yaml                  | 12 ++++--------
 .github/workflows/release_created.yaml            |  1 +
 infrastructure/terraform/components/api/README.md |  2 ++
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/pr_closed.yaml b/.github/workflows/pr_closed.yaml
index 003cf976..abdd4520 100644
--- a/.github/workflows/pr_closed.yaml
+++ b/.github/workflows/pr_closed.yaml
@@ -11,6 +11,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   check-merge-or-workflow-dispatch:
     runs-on: ubuntu-latest
@@ -39,7 +43,6 @@ jobs:
 
     permissions:
       id-token: write
-      contents: read
 
     strategy:
       max-parallel: 1
@@ -70,9 +73,6 @@ jobs:
     outputs:
       version_changed: ${{ steps.check-version.outputs.version_changed }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v5.0.0
@@ -107,9 +107,6 @@ jobs:
     needs: check-event-schemas-version-change
     if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5.0.0
@@ -135,7 +132,6 @@ jobs:
     if: needs.check-event-schemas-version-change.outputs.version_changed == 'true'
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       packages: write
 
     steps:
diff --git a/.github/workflows/release_created.yaml b/.github/workflows/release_created.yaml
index 7960e23c..72250543 100644
--- a/.github/workflows/release_created.yaml
+++ b/.github/workflows/release_created.yaml
@@ -16,6 +16,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      packages: read
 
     strategy:
       max-parallel: 1
diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md
index 150af054..59cd0c85 100644
--- a/infrastructure/terraform/components/api/README.md
+++ b/infrastructure/terraform/components/api/README.md
@@ -12,6 +12,8 @@ No requirements.
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_ca_pem_filename"></a> [ca\_pem\_filename](#input\_ca\_pem\_filename) | Filename for the CA truststore file within the s3 bucket | `string` | `null` | no |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
+| <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
+| <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |