From 3b0ea1ad74dee086f28b22f670229f55f4b2784d Mon Sep 17 00:00:00 2001
From: Jake Awe <jawe@nvidia.com>
Date: Wed, 26 Jun 2024 10:31:24 -0500
Subject: [PATCH] add permissions to child job

---
 .github/workflows/pr.yaml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index b062e45e4..3fd68562f 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -9,9 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  id-token: 'write'
-
 jobs:
   pr-builder:
     needs:
@@ -71,6 +68,12 @@ jobs:
       build_type: pull-request
       script: ci/test_wheel.sh
   wheel-publish:
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      packages: read
+      pull-requests: read
     needs: wheel-build
     secrets: inherit
     uses: rapidsai/shared-workflows/.github/workflows/wheels-publish.yaml@test_pypi_trusted_publish