From d66884a38baa28505de4611079064a9cf3d8d471 Mon Sep 17 00:00:00 2001
From: mkorwel <matt.korwel@gmail.com>
Date: Tue, 21 Oct 2025 20:25:47 -0700
Subject: [PATCH] fix(ci): restore full explicit permissions to orchestrator

---
 .github/workflows/orchestrator.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/orchestrator.yml b/.github/workflows/orchestrator.yml
index afe527c620..40a026f5ca 100644
--- a/.github/workflows/orchestrator.yml
+++ b/.github/workflows/orchestrator.yml
@@ -8,7 +8,22 @@ on:
       - 'release/**'
   merge_group:
 
-permissions: 'read-all'
+permissions:
+  contents: 'read'
+  packages: 'write'
+  pull-requests: 'write'
+  security-events: 'write'
+  checks: 'write'
+  statuses: 'write'
+  actions: 'read'
+  attestations: 'read'
+  deployments: 'read'
+  discussions: 'read'
+  issues: 'read'
+  models: 'read'
+  pages: 'read'
+  repository-projects: 'read'
+  id-token: 'read'
 
 concurrency:
   group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'