From 830843cdeea62783d694aa80d6997bd4651c0208 Mon Sep 17 00:00:00 2001
From: MRmarioruci <23653062+MRmarioruci@users.noreply.github.com>
Date: Thu, 11 Jun 2026 07:24:01 +0000
Subject: [PATCH] fix(ci): grant update-deps write permissions for peter-evans
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

contents:read was too restrictive — peter-evans/create-pull-request
still makes internal calls that need contents:write + pull-requests:write
even when an App token is passed via `token:`. Symptom on main was
"Requires authentication" at the Create Pull Request step, despite
all four updaters succeeding upstream.

update-passkey-aaguid.yml works because it has no permissions block
at all (default permissive token). We keep the explicit block to satisfy
CodeQL's "missing permissions" warning, just with the right scopes.
---
 .github/workflows/update-deps.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
index 0bad82060e..b26b07fdf4 100644
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -6,7 +6,8 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   update-deps: