From d2615a17eff192042b29b03a21e7535a1fd878fb Mon Sep 17 00:00:00 2001
From: Kevin Yu <kevinwcyu@users.noreply.github.com>
Date: Wed, 21 May 2025 13:56:03 -0700
Subject: [PATCH] CI: update permissions on workflows which get external
 secrets (#104792) (#105790)

update permissions

(cherry picked from commit e36d774d0cedbafde726b450c095548496b47080)

Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com>
---
 .github/workflows/changelog.yml            | 1 +
 .github/workflows/pr-patch-check-event.yml | 1 +
 .github/workflows/sync-mirror-event.yml    | 4 ++--
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
index c2dcc2972f1..8e7fe54f018 100644
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -63,6 +63,7 @@ jobs:
       DRY_RUN: ${{ inputs.dry_run }}
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: write
       pull-requests: write
     steps:
diff --git a/.github/workflows/pr-patch-check-event.yml b/.github/workflows/pr-patch-check-event.yml
index f7605f033ce..b274b86b87b 100644
--- a/.github/workflows/pr-patch-check-event.yml
+++ b/.github/workflows/pr-patch-check-event.yml
@@ -20,6 +20,7 @@ permissions: {}
 jobs:
   dispatch-job:
     permissions:
+      id-token: write
       contents: read
       actions: write
     env:
diff --git a/.github/workflows/sync-mirror-event.yml b/.github/workflows/sync-mirror-event.yml
index 13c9563846a..4a073c9b2b3 100644
--- a/.github/workflows/sync-mirror-event.yml
+++ b/.github/workflows/sync-mirror-event.yml
@@ -10,14 +10,14 @@ on:
       - "v*.*.*"
       - "release-*"
 
-permissions:
-  id-token: write
+permissions: {}
 
 # This is run after the pull request has been merged, so we'll run against the target branch
 jobs:
   dispatch-job:
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: read
       actions: write
     env: