From 3601a8c08057381d2332f5dbc34b52c1872f7b0d Mon Sep 17 00:00:00 2001
From: Matt Hammond <matthew.hammond@ably.com>
Date: Thu, 25 Jun 2026 22:35:15 +0100
Subject: [PATCH] ci: restore required permissions for the Features reusable
 workflow

The build job in features.yml calls the reusable workflow
ably/features/.github/workflows/sdk-features.yml@main, whose job
requires deployments: write and id-token: write. After #678 scoped
the caller job to only contents: read, those scopes were stripped
(a reusable workflow cannot elevate beyond what the caller grants),
causing an invisible failure at workflow startup.

Grant the two missing scopes on the calling job so OIDC
(aws-actions/configure-aws-credentials) and the sdk-upload-action
work again. Top-level permissions: {} is left intact.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/features.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml
index 7ef37a9a..caedd9bf 100644
--- a/.github/workflows/features.yml
+++ b/.github/workflows/features.yml
@@ -11,7 +11,9 @@ permissions: {}
 jobs:
   build:
     permissions:
-      contents: read
+      contents: read       # checkout
+      deployments: write   # ably/sdk-upload-action
+      id-token: write      # aws-actions/configure-aws-credentials (OIDC)
     uses: ably/features/.github/workflows/sdk-features.yml@main
     with:
       repository-name: ably-python