From 1eee99199772b8ef61bc288b496464e96e635fbd Mon Sep 17 00:00:00 2001
From: zhora <cdeal@mines.edu>
Date: Mon, 16 Mar 2026 00:43:03 -0600
Subject: [PATCH] fix(ci): add write permissions to update-flake-lock workflow
 (#2630)

The workflow needs contents:write to push the flake.lock update branch
and pull-requests:write to create the PR. Without these, the default
GITHUB_TOKEN causes a 403 error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Executed-By: gastown/crew/zhora
Rig: gastown
Role: crew
---
 .github/workflows/update-flake-lock.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
index d5ab63293a..880c5d8e15 100644
--- a/.github/workflows/update-flake-lock.yml
+++ b/.github/workflows/update-flake-lock.yml
@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update-flake-lock:
     runs-on: ubuntu-latest