From 58796afd7d04739b6d5d2ad07545a317499b026f Mon Sep 17 00:00:00 2001
From: arpitjain099 <arpitjain099@gmail.com>
Date: Wed, 13 May 2026 10:46:43 +0000
Subject: [PATCH] ci(deploy): per-job permissions for docs + docker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- docs job: contents: write — needed because
  crazy-max/ghaction-github-pages@v3 pushes built docs to gh-pages
  using GITHUB_TOKEN.
- docker job: contents: read — DockerHub push uses
  secrets.DOCKER_USERNAME/DOCKER_TOKEN, so GITHUB_TOKEN only needs
  read access to the checkout.

Matches the per-workflow permissions pattern already in stable.yml
and nightly.yml.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
---
 .github/workflows/deploy.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 2ee3da23771..a4031d73463 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -10,6 +10,8 @@ env:
 
 jobs:
   docs:
+    permissions:
+      contents: write  # crazy-max/ghaction-github-pages pushes to gh-pages
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
@@ -36,6 +38,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   docker:
+    permissions:
+      contents: read  # DockerHub push uses DOCKER_USERNAME/DOCKER_TOKEN, not GITHUB_TOKEN
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources