From 00fb7accbd350fca6700e60af0003dee4acc9639 Mon Sep 17 00:00:00 2001
From: "groombook-engineer[bot]"
 <3141748+groombook-engineer[bot]@users.noreply.github.com>
Date: Sat, 2 May 2026 21:51:00 +0000
Subject: [PATCH] fix: add id-token write permission for OIDC ghcr.io auth

Docker build push was failing with permission_denied: write_package.
The build-push-action v6 uses OIDC for authentication which requires id-token: write.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 05fc1d8..20282bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,6 +65,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4