From f85f5bfc5300184520f8290480dae05bcc1ca58a Mon Sep 17 00:00:00 2001
From: neverland <chenjiahan.jait@bytedance.com>
Date: Tue, 24 Dec 2024 17:38:31 +0800
Subject: [PATCH] chore(CI): fix missing permission for provenance (#4257)

---
 .github/workflows/issue-close-require.yml | 1 +
 .github/workflows/issue-labeled.yml       | 1 +
 .github/workflows/pr-label.yaml           | 1 +
 .github/workflows/release.yml             | 4 ++++
 4 files changed, 7 insertions(+)

diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml
index 3955027d95..64baccf426 100644
--- a/.github/workflows/issue-close-require.yml
+++ b/.github/workflows/issue-close-require.yml
@@ -5,6 +5,7 @@ on:
     - cron: '0 0 * * *'
 
 permissions:
+  # Permits `actions-cool/issues-helper` to close an issue
   issues: write
   contents: read
 
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
index 8d7e848f8f..0a14ffa023 100644
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  # Permits `actions-cool/issues-helper` to comment on an issue
   issues: write
 
 jobs:
diff --git a/.github/workflows/pr-label.yaml b/.github/workflows/pr-label.yaml
index fa22320b1f..26fbe8b4f4 100644
--- a/.github/workflows/pr-label.yaml
+++ b/.github/workflows/pr-label.yaml
@@ -7,6 +7,7 @@ on:
       - edited
 
 permissions:
+  # Permits `github/issue-labeler` to add a label to a pull request
   pull-requests: write
   contents: read
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8d6de7c8d4..68c3348452 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,10 @@ on:
         required: false
         default: true
 
+permissions:
+  # Provenance generation in GitHub Actions requires "write" access to the "id-token"
+  id-token: write
+
 jobs:
   release:
     name: Release