s

brendan-kellam · brendan-kellam · commit 69adcc704cc4 · 2025-03-31T11:29:35.000-07:00
diff --git a/.github/workflows/_gcp-deploy.yml b/.github/workflows/_gcp-deploy.yml
@@ -14,9 +14,6 @@ jobs:
     environment: ${{ inputs.environment }}
     permissions:
       contents: 'read'
-      # Requird for OIDC auth with GCP.
-      # @see: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
-      id-token: 'write'
     env:
       IMAGE_PATH: us-west1-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/sourcebot/sourcebot-${{ vars.NEXT_PUBLIC_SOURCEBOT_CLOUD_ENVIRONMENT }}
     steps:
diff --git a/.github/workflows/scratch-workflow.yml b/.github/workflows/scratch-workflow.yml
@@ -8,5 +8,9 @@ on:
 jobs:
   scratch:
     uses: ./.github/workflows/_gcp-deploy.yml
+    permissions:
+      # Requird for OIDC auth with GCP.
+      # @see: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+      id-token: 'write'
     with:
       environment: staging
