From 92d5e2f80014ba1588758f176f8d0676fe1cdda3 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 24 Mar 2026 15:05:15 +0100
Subject: [PATCH] fix(ci): add missing permissions to deploy workflow

The deploy-ic.yml workflow started failing with startup_failure after
#115 added pull-requests: write to _checks.yml. The deploy workflow
never granted this permission to the reusable workflow call, causing
GitHub to reject the workflow at startup.

Adds top-level and job-level permissions to match ci.yml.
---
 .github/workflows/deploy-ic.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/deploy-ic.yml b/.github/workflows/deploy-ic.yml
index e280434..f99eec5 100644
--- a/.github/workflows/deploy-ic.yml
+++ b/.github/workflows/deploy-ic.yml
@@ -9,9 +9,16 @@ concurrency:
   group: ic-deploy
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   checks:
     uses: ./.github/workflows/_checks.yml
+    permissions:
+      contents: read
+      pull-requests: write
 
   deploy:
     needs: checks