From 0ddc5c078139434f8d61f88cd6195bb9d0285fa5 Mon Sep 17 00:00:00 2001
From: gnbm <goncalo.martins@outsystems.com>
Date: Tue, 18 Nov 2025 11:43:24 +0000
Subject: [PATCH] Finetune workflows permissions

---
 .github/workflows/nightly.yml              | 1 +
 .github/workflows/release-orchestrator.yml | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index af5f64370ea..65bfdd263d1 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -34,6 +34,7 @@ jobs:
       contents: read
       id-token: write
     uses: ./.github/workflows/release-ionic.yml
+    secrets: inherit
     with:
       tag: nightly
       version: ${{ needs.create-nightly-hash.outputs.nightly-hash }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
index cbbed32290f..860cce312cb 100644
--- a/.github/workflows/release-orchestrator.yml
+++ b/.github/workflows/release-orchestrator.yml
@@ -55,16 +55,25 @@ permissions:
 jobs:
   run-nightly:
     if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.release-type == 'nightly') }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/nightly.yml
     secrets: inherit
 
   run-dev:
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'dev' }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/dev-build.yml
     secrets: inherit
 
   run-production:
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/release.yml
     secrets: inherit
     with: