From e4b41709b50fdb767e3c5a36c3f8882fe3384b50 Mon Sep 17 00:00:00 2001
From: William Phetsinorath <william.phetsinorath@shikanime.studio>
Date: Sun, 19 Apr 2026 03:35:32 +0200
Subject: [PATCH] Update

[ghstack-poisoned]
---
 .github/workflows/integration.yaml         | 3 +++
 .github/workflows/nix.yaml                 | 3 +++
 modules/devenv/integrations/github/nix.nix | 8 ++++++++
 3 files changed, 14 insertions(+)

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
index b0b2abb..793d49e 100644
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
@@ -7,6 +7,9 @@ jobs:
     if:
       ${{ github.event_name == 'workflow_call' || github.event_name ==
       'workflow_dispatch' || github.event.pull_request.draft == false }}
+    permissions:
+      contents: read
+      packages: write
     secrets:
       CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
       OPERATOR_PRIVATE_KEY: ${{ secrets.OPERATOR_PRIVATE_KEY }}
diff --git a/.github/workflows/nix.yaml b/.github/workflows/nix.yaml
index 108399d..4d693dc 100644
--- a/.github/workflows/nix.yaml
+++ b/.github/workflows/nix.yaml
@@ -63,6 +63,9 @@ jobs:
     runs-on: ${{ matrix.runner }}
     needs:
       - setup-packages-jobs
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/modules/devenv/integrations/github/nix.nix b/modules/devenv/integrations/github/nix.nix
index eb6b4c3..dccf414 100644
--- a/modules/devenv/integrations/github/nix.nix
+++ b/modules/devenv/integrations/github/nix.nix
@@ -132,6 +132,10 @@ in
             needs = [ "setup-packages-jobs" ];
             "if" = "\${{ needs['setup-packages-jobs'].outputs.continue == 'true' }}";
             runs-on = "\${{ matrix.runner }}";
+            permissions = {
+              contents = "read";
+              packages = "write";
+            };
             strategy = {
               fail-fast = false;
               matrix.include = "\${{ fromJSON(needs['setup-packages-jobs'].outputs.matrix) }}";
@@ -283,6 +287,10 @@ in
             "if" =
               "\${{ github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch' || github.event.pull_request.draft == false }}";
             uses = "./.github/workflows/nix.yaml";
+            permissions = {
+              contents = "read";
+              packages = "write";
+            };
             secrets = {
               OPERATOR_PRIVATE_KEY = "\${{ secrets.OPERATOR_PRIVATE_KEY }}";
               CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}";