From 94583130b5762e375b14993a95ac25503c3b510c Mon Sep 17 00:00:00 2001
From: fkwp <github-fkwp@w4ve.de>
Date: Mon, 2 Mar 2026 15:50:39 +0100
Subject: [PATCH] add id-token permission as its required by tailscale login

---
 .github/workflows/build-and-publish-docker.yaml | 3 ++-
 .github/workflows/build.yaml                    | 1 +
 .github/workflows/pr-deploy.yaml                | 1 +
 .github/workflows/publish.yaml                  | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-and-publish-docker.yaml b/.github/workflows/build-and-publish-docker.yaml
index 68f7131c..63175019 100644
--- a/.github/workflows/build-and-publish-docker.yaml
+++ b/.github/workflows/build-and-publish-docker.yaml
@@ -20,7 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write # required to upload release asset
-      packages: write
+      packages: write # needed for publishing packages to GHCR
+      id-token: write # needed for login into tailscale with GitHub OIDC Token
     steps:
       - name: Check it out
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 9b86215e..4f9e80f2 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -49,6 +49,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
     uses: ./.github/workflows/build-and-publish-docker.yaml
     with:
       artifact_run_id: ${{ github.run_id }}
diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml
index fe934162..62b37aca 100644
--- a/.github/workflows/pr-deploy.yaml
+++ b/.github/workflows/pr-deploy.yaml
@@ -60,6 +60,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
     uses: ./.github/workflows/build-and-publish-docker.yaml
     with:
       artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }}
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 7f2c58fe..ade91019 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -55,6 +55,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
     uses: ./.github/workflows/build-and-publish-docker.yaml
     with:
       artifact_run_id: ${{ github.event.workflow_run.id || github.run_id }}