fix: add content read

gsanchezgavier · gsanchezgavier · commit d55975052e16 · 2025-11-24T16:41:42.000+01:00
diff --git a/.github/workflows/component_k8s_canaries.yml b/.github/workflows/component_k8s_canaries.yml
@@ -33,6 +33,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
diff --git a/.github/workflows/component_onhost_canaries.yml b/.github/workflows/component_onhost_canaries.yml
@@ -30,6 +30,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -109,6 +109,7 @@ jobs:
     needs: [ build-image ]
     permissions:
       id-token: write
+      contents: read
     with:
       image-tag: nightly
       cluster_name: Agent_Control_Canaries_Staging-Cluster
@@ -124,6 +125,7 @@ jobs:
     needs: [ upload-packages-s3 ]
     permissions:
       id-token: write
+      contents: read
     with:
       environment: staging
       operation: apply
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -136,6 +136,7 @@ jobs:
     needs: [ build-image ]
     permissions:
       id-token: write
+      contents: read
     with:
       image-tag: ${{ github.event.release.tag_name }}-rc
       cluster_name: Agent_Control_Canaries_Production-Cluster
@@ -151,6 +152,7 @@ jobs:
     needs: [ upload ]
     permissions:
       id-token: write
+      contents: read
     with:
       environment: production
       operation: apply
diff --git a/.github/workflows/push_pr_k8s_canaries_apply.yml b/.github/workflows/push_pr_k8s_canaries_apply.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
diff --git a/.github/workflows/push_pr_k8s_canaries_plan.yml b/.github/workflows/push_pr_k8s_canaries_plan.yml
@@ -19,6 +19,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
diff --git a/.github/workflows/push_pr_onhost_canaries_apply.yml b/.github/workflows/push_pr_onhost_canaries_apply.yml
@@ -20,6 +20,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     strategy:
       matrix:
         environment: [ staging, production ]
diff --git a/.github/workflows/push_pr_onhost_canaries_plan.yml b/.github/workflows/push_pr_onhost_canaries_plan.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       # required to oidc AWS
       id-token: write
+      contents: read
     with:
       environment: ${{ matrix.environment }}
       operation: plan
