From c9a419e5c64010aa5d3aba01a5d1a33362f152d2 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Tue, 28 Oct 2025 15:37:11 -0600
Subject: [PATCH] Add permissions for OIDC in publish.yml

Added permissions for OIDC in the publish workflow.
---
 .github/workflows/publish.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 881a28a..3552338 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,11 @@ on:
   push:
     branches: [main]
 
+permissions:
+  # Required for OIDC: https://docs.npmjs.com/trusted-publishers
+  id-token: write
+  contents: read
+
 # Ensure that only one instance of this workflow executes at a time.
 # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.
 concurrency: ${{ github.workflow }}