From ccaee9b5e81fccb9e2482a12b06d887085bfcc8e Mon Sep 17 00:00:00 2001
From: Junyi Hou <junyi@xtras3.tail08d22c.ts.net>
Date: Sat, 28 Mar 2026 15:46:58 +0800
Subject: [PATCH] fix: add permissions to backend caller workflows

Reusable workflows inherit permissions from the caller. Without
explicit permissions in the callers, the nested jobs requesting
packages:write and contents:write are denied.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build-backend-dev.yml | 4 ++++
 .github/workflows/build-backend-prd.yml | 4 ++++
 .github/workflows/build-backend-stg.yml | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/build-backend-dev.yml b/.github/workflows/build-backend-dev.yml
index b1a8005b..d0af1a3e 100644
--- a/.github/workflows/build-backend-dev.yml
+++ b/.github/workflows/build-backend-dev.yml
@@ -4,6 +4,10 @@ on:
     branches:
       - development
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build-and-deploy:
     uses: ./.github/workflows/_build-backend.yml
diff --git a/.github/workflows/build-backend-prd.yml b/.github/workflows/build-backend-prd.yml
index 9531d89d..01e26737 100644
--- a/.github/workflows/build-backend-prd.yml
+++ b/.github/workflows/build-backend-prd.yml
@@ -3,6 +3,10 @@ on:
   repository_dispatch:
     types: [prd]
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build-and-deploy:
     uses: ./.github/workflows/_build-backend.yml
diff --git a/.github/workflows/build-backend-stg.yml b/.github/workflows/build-backend-stg.yml
index 54bfffb0..891e3065 100644
--- a/.github/workflows/build-backend-stg.yml
+++ b/.github/workflows/build-backend-stg.yml
@@ -3,6 +3,10 @@ on:
   repository_dispatch:
     types: [stg]
 
+permissions:
+  contents: write
+  packages: write
+
 jobs:
   build-and-deploy:
     uses: ./.github/workflows/_build-backend.yml