From 9a45f0924dc074b0d3d59aa0540fead20e165cf5 Mon Sep 17 00:00:00 2001
From: Manmohan <66306483+manmohan659@users.noreply.github.com>
Date: Thu, 16 Apr 2026 19:59:14 -0400
Subject: [PATCH] fix(ci): grant id-token write so EC2 deploy can assume the
 OIDC role (#40)

aws-actions/configure-aws-credentials needs id-token: write to mint the
OIDC JWT and assume AWS_ROLE_ARN. Without it the deploy-ec2 workflow
fails at the credentials step. Add the permission at workflow scope.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy-ec2.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/deploy-ec2.yml b/.github/workflows/deploy-ec2.yml
index 43fb1887..9c3b5b02 100644
--- a/.github/workflows/deploy-ec2.yml
+++ b/.github/workflows/deploy-ec2.yml
@@ -11,6 +11,10 @@ concurrency:
   group: deploy-ec2
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   deploy:
     if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'