From 19a5298f5bfd1b91db4bc769a2c4930509ff3102 Mon Sep 17 00:00:00 2001
From: Juan Fernandez <juan-fdz-hawa@users.noreply.github.com>
Date: Tue, 19 Aug 2025 14:04:17 -0400
Subject: [PATCH] Added missing permissions (#32021)

For #32007. Added missing permissions for attestation.
---
 .github/workflows/build-fleetd-base-msi.yml | 4 ++++
 .github/workflows/goreleaser-orbit.yaml     | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/.github/workflows/build-fleetd-base-msi.yml b/.github/workflows/build-fleetd-base-msi.yml
index 78e9602ad6..fa7e21424d 100644
--- a/.github/workflows/build-fleetd-base-msi.yml
+++ b/.github/workflows/build-fleetd-base-msi.yml
@@ -69,7 +69,11 @@ jobs:
   code-sign:
     needs: build
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
+      attest: "true"
       filename: fleetd-base.msi
       upload_name: fleetd-base-msi
     secrets:
diff --git a/.github/workflows/goreleaser-orbit.yaml b/.github/workflows/goreleaser-orbit.yaml
index be72e69f38..35007083e1 100644
--- a/.github/workflows/goreleaser-orbit.yaml
+++ b/.github/workflows/goreleaser-orbit.yaml
@@ -203,6 +203,9 @@ jobs:
   code-sign-windows:
     needs: goreleaser-windows
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
       attest: 'true'
       filename: orbit.exe
@@ -253,6 +256,9 @@ jobs:
   code-sign-windows-arm64:
     needs: goreleaser-windows-arm64
     uses: ./.github/workflows/code-sign-windows.yml
+    permissions:
+      id-token: write # required for attestations
+      attestations: write # required for attestations
     with:
       attest: 'true'
       filename: orbit.exe