fix(INFRA-3631): add read-only job-level permissions to shadow CI caller

alucardzom · alucardzom · commit e9a5e8bffddc · 2026-05-15T16:21:13.000+02:00
Add job-level permissions to the shadow-ci caller job so the nested
ci.yml can start. All permissions are read-only except id-token:write
(required for Namespace runners) to avoid duplicating commit statuses
and PR comments that the normal CI pipeline already writes.
diff --git a/.github/workflows/ci-namespace-shadow.yml b/.github/workflows/ci-namespace-shadow.yml
@@ -20,6 +20,13 @@ concurrency:
 jobs:
   shadow-ci:
     name: '[shadow] CI'
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      issues: read
+      pull-requests: read
+      statuses: read
     uses: ./.github/workflows/ci.yml
     with:
       runner_provider: namespace
