From 204fd9b1c2add7600b214bca721342fc88bedde3 Mon Sep 17 00:00:00 2001
From: Matthew Warman <warmanmr@gmail.com>
Date: Sat, 4 Apr 2026 07:50:21 -0400
Subject: [PATCH] Add permissions to deploy workflows for DEV, PROD, and QA

---
 .github/workflows/deploy-dev.yml  | 3 +++
 .github/workflows/deploy-prod.yml | 3 +++
 .github/workflows/deploy-qa.yml   | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index acca05c..d2916ab 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -16,6 +16,9 @@ jobs:
   deploy:
     name: Deploy to DEV
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_DEV }}
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
index 4636f90..f43d08e 100644
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -16,6 +16,9 @@ jobs:
   deploy:
     name: Deploy to PROD
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_PROD }}
diff --git a/.github/workflows/deploy-qa.yml b/.github/workflows/deploy-qa.yml
index 14983a6..d8b19c2 100644
--- a/.github/workflows/deploy-qa.yml
+++ b/.github/workflows/deploy-qa.yml
@@ -15,6 +15,9 @@ jobs:
   deploy:
     name: Deploy to QA
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_QA }}