From b4e540decc484bd22eb84484a8eb94f19b1790c1 Mon Sep 17 00:00:00 2001
From: Brandy Smith <brandyscarney@users.noreply.github.com>
Date: Mon, 1 Dec 2025 10:10:00 -0500
Subject: [PATCH 1/3] chore(workflows): update release workflow permissions for
 finalizing (#30814)

Co-authored-by: Brandy Smith <6577830+brandyscarney@users.noreply.github.com>
---
 .github/workflows/release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6fcb4b7d5dc..96640319e59 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -54,6 +54,9 @@ jobs:
   finalize-release:
     needs: [release-ionic]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
     - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
       with:
@@ -82,6 +85,9 @@ jobs:
     # possible for them to push at the same time.
     needs: [finalize-release]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         # Pull the latest version of the reference

From c65b76e72777bff11612c972fa087fba9081572c Mon Sep 17 00:00:00 2001
From: Brandy Smith <brandyscarney@users.noreply.github.com>
Date: Mon, 1 Dec 2025 11:25:26 -0500
Subject: [PATCH 2/3] chore(workflows): fix release workflow permissions
 (#30823)

The workflow permissions update did not work due to it being nested in a
workflow that only had `read` permissions.

You can see a failing run here (scroll down to annotations):
[19828029833](https://github.com/ionic-team/ionic-framework/actions/runs/19828029833)

```
Invalid workflow file: .github/workflows/release-orchestrator.yml#L71
The workflow is not valid. .github/workflows/release-orchestrator.yml (Line: 71, Col: 3): Error calling workflow 'ionic-team/ionic-framework/.github/workflows/release.yml@b4e540decc484bd22eb84484a8eb94f19b1790c1'. The nested job 'finalize-release' is requesting 'contents: write', but is only allowed 'contents: read'. .github/workflows/release-orchestrator.yml (Line: 71, Col: 3): Error calling workflow 'ionic-team/ionic-framework/.github/workflows/release.yml@b4e540decc484bd22eb84484a8eb94f19b1790c1'. The nested job 'update-package-lock' is requesting 'contents: write', but is only allowed 'contents: read'.
```

This updates the parent workflow to have `write` permissions. You can
see a passing run here:
[19828895682](https://github.com/ionic-team/ionic-framework/actions/runs/19828895682)

Co-authored-by: Brandy Smith <6577830+brandyscarney@users.noreply.github.com>
---
 .github/workflows/release-orchestrator.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
index 2c41ed516f9..a0c05cbcd58 100644
--- a/.github/workflows/release-orchestrator.yml
+++ b/.github/workflows/release-orchestrator.yml
@@ -71,7 +71,7 @@ jobs:
   run-production:
     if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }}
     permissions:
-      contents: read
+      contents: write
       id-token: write
     uses: ./.github/workflows/release.yml
     secrets: inherit

From f19160497f4c29fe9b7a88d86932139eff4dd04d Mon Sep 17 00:00:00 2001
From: Brandy Smith <6577830+brandyscarney@users.noreply.github.com>
Date: Mon, 1 Dec 2025 17:05:11 -0500
Subject: [PATCH 3/3] chore(deps): add playwright-core as a dev dependency

---
 core/package-lock.json | 15 ++-------------
 core/package.json      |  1 +
 2 files changed, 3 insertions(+), 13 deletions(-)

diff --git a/core/package-lock.json b/core/package-lock.json
index f7ff7e34a26..17605dcfb20 100644
--- a/core/package-lock.json
+++ b/core/package-lock.json
@@ -45,6 +45,7 @@
         "jest": "^29.7.0",
         "jest-cli": "^29.7.0",
         "outsystems-design-tokens": "^1.3.4",
+        "playwright-core": "^1.56.1",
         "prettier": "^2.8.8",
         "rollup": "^2.26.4",
         "sass": "^1.33.0",
@@ -9568,24 +9569,12 @@
       }
     },
     "node_modules/playwright-core": {
-      "version": "1.56.1",
-      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
-      "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
-      "dev": true,
-      "peer": true,
-      "bin": {
-        "playwright-core": "cli.js"
-      },
-      "engines": {
-        "node": ">=18"
-      }
-    },
-    "node_modules/playwright/node_modules/playwright-core": {
       "version": "1.56.1",
       "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.56.1.tgz",
       "integrity": "sha512-hutraynyn31F+Bifme+Ps9Vq59hKuUCz7H1kDOcBs+2oGguKkWTU50bBWrtz34OUWmIwpBTWDxaRPXrIXkgvmQ==",
       "dev": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "playwright-core": "cli.js"
       },
diff --git a/core/package.json b/core/package.json
index 72ea2b458c6..ef5e0fca603 100644
--- a/core/package.json
+++ b/core/package.json
@@ -67,6 +67,7 @@
     "jest": "^29.7.0",
     "jest-cli": "^29.7.0",
     "outsystems-design-tokens": "^1.3.4",
+    "playwright-core": "^1.56.1",
     "prettier": "^2.8.8",
     "rollup": "^2.26.4",
     "sass": "^1.33.0",