From ef35254def6527b9715bf5be2a9f24597ced89f7 Mon Sep 17 00:00:00 2001
From: Mark Esler <mark.esler@chainguard.dev>
Date: Thu, 5 Mar 2026 22:27:45 -0800
Subject: [PATCH] fix: add organization_administration write to verify and sync
 policies

Required to read and manage organization rulesets during terraform plan and apply.
---
 .github/chainguard/sync-github.sts.yaml   | 1 +
 .github/chainguard/verify-github.sts.yaml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/chainguard/sync-github.sts.yaml b/.github/chainguard/sync-github.sts.yaml
index 5d97063..5d4cb5b 100644
--- a/.github/chainguard/sync-github.sts.yaml
+++ b/.github/chainguard/sync-github.sts.yaml
@@ -7,6 +7,7 @@ claim_pattern:
   job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.*
 
 permissions:
+  organization_administration: write # required to manage organization rulesets
   administration: write # required to manage the repository
   contents: write # required per terraform docs (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository)
   members: write # to add/remove GitHub members
diff --git a/.github/chainguard/verify-github.sts.yaml b/.github/chainguard/verify-github.sts.yaml
index 5860ec1..94c8ff6 100644
--- a/.github/chainguard/verify-github.sts.yaml
+++ b/.github/chainguard/verify-github.sts.yaml
@@ -7,6 +7,7 @@ claim_pattern:
   job_workflow_ref: chainguard-dev/infra/.github/workflows/.terraform.yaml@.*
 
 permissions:
+  organization_administration: write # required to read organization rulesets
   administration: read # required to read the repository
   contents: write # required per terraform docs (https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository)
   members: read # to add/remove GitHub members