fix(INFRA-3631): add job-level permissions to shadow CI caller

alucardzom · alucardzom · commit 33bcfc1073e8 · 2026-05-15T16:26:53.000+02:00
Add job-level permissions to the shadow-ci caller job. With
workflow_call the caller's permissions cap the callee — ci.yml
jobs declare statuses/issues/pull-requests write, so the caller
must grant at least the same or the workflow fails at startup.

Write permissions are required for the workflow to start but the
shadow should not post duplicate statuses or PR comments. A
follow-up will gate those write steps in ci.yml to skip when
running under the shadow workflow.
diff --git a/.github/workflows/ci-namespace-shadow.yml b/.github/workflows/ci-namespace-shadow.yml
@@ -20,6 +20,13 @@ concurrency:
 jobs:
   shadow-ci:
     name: '[shadow] CI'
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      issues: write
+      pull-requests: write
+      statuses: write
     uses: ./.github/workflows/ci.yml
     with:
       runner_provider: namespace
