From b6d7c238bd3a54ae24a439baf5fa854da85c8b91 Mon Sep 17 00:00:00 2001
From: Pulumi Bot <bot@pulumi.com>
Date: Tue, 9 Dec 2025 06:24:25 +0000
Subject: [PATCH] [internal] Update GitHub Actions workflow files

---
 .github/workflows/prerelease.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
index fc96bf0..ecfc5ad 100644
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -13,6 +13,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/prerequisites.yml
     secrets: inherit
     with:
@@ -21,6 +22,9 @@ jobs:
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
   build_provider:
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/build_provider.yml
     needs: prerequisites
     secrets: inherit
@@ -32,6 +36,9 @@ jobs:
     needs: prerequisites
     uses: ./.github/workflows/build_sdk.yml
     secrets: inherit
+    permissions:
+      contents: write # For Renovate SDKs.
+      id-token: write # For ESC secrets.
     with:
       version: ${{ needs.prerequisites.outputs.version }}
 
@@ -48,6 +55,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      pull-requests: write
       id-token: write
     needs:
       - prerequisites