From 43cf9b99fe11c84f4586b79e7bed2074586dafd6 Mon Sep 17 00:00:00 2001
From: Alexander Sapountzis <alexs@mparticle.com>
Date: Mon, 23 Mar 2026 15:45:34 -0400
Subject: [PATCH 1/2] fix(ci): add id-token permission for pr-notify workflow

The reusable oss_pr_opened_notification workflow requests id-token: write,
but the calling workflow did not grant it, causing the workflow to fail.
---
 .github/workflows/reusable-workflows.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/reusable-workflows.yml b/.github/workflows/reusable-workflows.yml
index aa6af3d..1305834 100644
--- a/.github/workflows/reusable-workflows.yml
+++ b/.github/workflows/reusable-workflows.yml
@@ -21,6 +21,8 @@ jobs:
         needs:
             - web-kit-pull-request
         name: Notify GChat
+        permissions:
+            id-token: write
         uses: ROKT/rokt-workflows/.github/workflows/oss_pr_opened_notification.yml@main
         secrets:
             gchat_webhook: ${{ secrets.GCHAT_PRS_WEBHOOK }}

From cfc0c416da5c84cbd35f056f677e550eab1a82f1 Mon Sep 17 00:00:00 2001
From: Alexander Sapountzis <alexs@mparticle.com>
Date: Mon, 23 Mar 2026 18:25:07 -0400
Subject: [PATCH 2/2] fix(ci): add contents read permission for pr-notify
 workflow

The reusable workflow needs contents:read to check out the repo.
---
 .github/workflows/reusable-workflows.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/reusable-workflows.yml b/.github/workflows/reusable-workflows.yml
index 1305834..31ad189 100644
--- a/.github/workflows/reusable-workflows.yml
+++ b/.github/workflows/reusable-workflows.yml
@@ -23,6 +23,7 @@ jobs:
         name: Notify GChat
         permissions:
             id-token: write
+            contents: read
         uses: ROKT/rokt-workflows/.github/workflows/oss_pr_opened_notification.yml@main
         secrets:
             gchat_webhook: ${{ secrets.GCHAT_PRS_WEBHOOK }}