From 60ca0af6b25d021b642899bfb35e95dee79a464a Mon Sep 17 00:00:00 2001
From: Pulumi Bot <30351955+pulumi-bot@users.noreply.github.com>
Date: Fri, 31 Jan 2025 22:40:54 -0700
Subject: [PATCH] Update GitHub Actions workflows. (#720)

This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 8460c384731548e00825ae32d83c7cb61b5da682.
---
 .github/workflows/master.yml        | 1 +
 .github/workflows/prerelease.yml    | 1 +
 .github/workflows/prerequisites.yml | 2 +-
 .github/workflows/publish.yml       | 3 +++
 .github/workflows/release.yml       | 1 +
 5 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
index d1f11425..97818aae 100644
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@@ -95,6 +95,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
index 959ae369..299ee13c 100644
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -56,6 +56,7 @@ jobs:
     name: publish
     permissions:
       contents: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider
diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
index d9389095..2bfe2849 100644
--- a/.github/workflows/prerequisites.yml
+++ b/.github/workflows/prerequisites.yml
@@ -74,7 +74,7 @@ jobs:
     - name: Unit-test provider code
       run: make test_provider
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@0da7aa657d958d32c117fc47e1f977e7524753c7 # v5.3.0
+      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: inputs.is_pr
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f468d96d..4ed25912 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -206,6 +206,9 @@ jobs:
   verify_release:
     name: verify_release
     needs: publish_sdk
+    permissions:
+      contents: write
+      id-token: write
     uses: ./.github/workflows/verify-release.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d7b20bd4..5655ef0a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,6 +62,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     needs:
       - prerequisites
       - build_provider