Permissions need to be set at caller workflow. Reusable (called) workflows may not have more permissions than the caller workflow. If you set any permissions, any permissions not set are set to none, so we need to keep that in mind.
We may want to look at adding permissions at the job level, I'm not sure how that interaction works with reusable workflows, but it is a bit more annoying to set it in multiple places.
Specifically the GITHUB_TOKEN for our IaC tests needs id-token: write for OIDC AWS auth things and that needs to be set at the top level workflow if set at the workflow level
Permissions need to be set at caller workflow. Reusable (called) workflows may not have more permissions than the caller workflow. If you set any permissions, any permissions not set are set to
none, so we need to keep that in mind.We may want to look at adding permissions at the job level, I'm not sure how that interaction works with reusable workflows, but it is a bit more annoying to set it in multiple places.
Specifically the
GITHUB_TOKENfor our IaC tests needsid-token: writefor OIDC AWS auth things and that needs to be set at the top level workflow if set at the workflow level