From 138aba79fddfd3fbc9d601ab20948f25a04a41e2 Mon Sep 17 00:00:00 2001
From: Johannes Schindelin <johannes.schindelin@gmx.de>
Date: Tue, 2 Jul 2024 12:38:53 +0200
Subject: [PATCH] fixup! github: use federated auth for Azure login

One "funny" quirk of GitHub Actions is that some of their YAML
constructs that users _assume_ to be cumulative, are not. One example is
the `permissions` block: Most readers will assume that the following
YAML will combine `contents` and `id-token` permissions:

	permissions:
	  id-token: write

	jobs:
	  my-job:
	    permissions:
	      contents: write

However, that is not the case! The inner `permissions` block completely
negates the outer `permissions` block.

So let's just repeat ourselves to force GitHub Actions to understand
which permissions we need.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
 .github/workflows/build-git-installers.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index f0d419f5efa6db..a8b5919328f5ba 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -666,6 +666,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write # required for Azure login via OIDC
     needs:
       - validate-installers
       - create-linux-artifacts