fix: workflow permissions

edisile · edisile · commit 55dd7a961164 · 2026-01-09T15:04:09.000+01:00
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -8,13 +8,19 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: 'Environment (Production, Staging or Staging API)'
+        description: 'Environment to deploy'
         required: true
         type: choice
         options:
           - Production
           - Staging
           - Staging API
+  workflow_call:
+    inputs:
+      environment:
+        description: 'Environment ("Production", "Staging" or "Staging API")'
+        required: true
+        type: string
 
 jobs:
   setup:
@@ -63,7 +69,11 @@ jobs:
     # we will dispatch another copy of this workflow to deploy the Staging API env; we invoke the workflow
     # with an input, so `github.event.inputs.environment` won't be "" and the `if` condition above will be
     # false, thus there won't be a recursive loop
-    uses: canonical/snapcraft.io/.github/workflows/deploy.yaml@main
+    uses: ./.github/workflows/deploy.yaml
+    permissions:
+      contents: read
+      deployments: write
+      packages: write
     with:
       environment: Staging API
     secrets:
