From 6be41416ecce57928339a6f35e3f247333f85c9d Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 16 Oct 2025 14:51:22 +0100
Subject: [PATCH] updated workflow permissions

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .github/workflows/devel_pipeline_validation.yml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
index deac4d7..8fd728a 100644
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@@ -17,12 +17,6 @@
     # Allow manual running of workflow
     workflow_dispatch:
 
-  # Allow permissions for AWS auth
-  permissions:
-    id-token: write
-    contents: read
-    pull-requests: read
-
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
@@ -30,6 +24,10 @@
     welcome:
       runs-on: ubuntu-latest
 
+      permissions:
+        issues: write
+        pull-requests: write
+
       steps:
         - uses: actions/first-interaction@main
           with:
@@ -45,6 +43,13 @@
     playbook-test:
       # The type of runner that the job will run on
       runs-on: self-hosted
+
+      # Allow permissions for AWS auth
+      permissions:
+        id-token: write
+        contents: read
+        pull-requests: read
+
       env:
         ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
         # Imported as a variable by terraform