From a57283753c8da27b5e2346b768cfd38701b457c1 Mon Sep 17 00:00:00 2001
From: Pulumi Bot <bot@pulumi.com>
Date: Sat, 1 Feb 2025 05:13:21 +0000
Subject: [PATCH] [internal] Update GitHub Actions workflow files

---
 .github/workflows/master.yml         | 1 +
 .github/workflows/prerelease.yml     | 1 +
 .github/workflows/prerequisites.yml  | 2 +-
 .github/workflows/publish.yml        | 3 +++
 .github/workflows/release.yml        | 1 +
 .github/workflows/verify-release.yml | 3 +++
 6 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index 78f042e4c3..eefe63515a 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -101,6 +101,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
index b202f8074b..6d80333873 100644
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -62,6 +62,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider
diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
index f375349fa3..823b026bfc 100644
--- a/.github/workflows/prerequisites.yml
+++ b/.github/workflows/prerequisites.yml
@@ -85,7 +85,7 @@ jobs:
     - name: Unit-test provider code
       run: make test_provider
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@0da7aa657d958d32c117fc47e1f977e7524753c7 # v5.3.0
+      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: inputs.is_pr
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 809843908f..53aad53fd0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -212,6 +212,9 @@ jobs:
   verify_release:
     name: verify_release
     needs: publish_sdk
+    permissions:
+      contents: write
+      id-token: write
     uses: ./.github/workflows/verify-release.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e265503d73..bdeec69171 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,6 +68,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider
diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml
index 5a75811872..170d02994d 100644
--- a/.github/workflows/verify-release.yml
+++ b/.github/workflows/verify-release.yml
@@ -77,6 +77,9 @@ jobs:
         # See the docs for a similar example to this: https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
         runner: ${{ fromJSON(format('["ubuntu-latest","windows-latest"{0}]', inputs.enableMacRunner && ',"macos-latest"' || '')) }}
     runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
       - name: Configure Git to checkout files with long names
         run: git config --global core.longpaths true