From 52f2025dc13184e0b334a805cc2fc5413d9ceea8 Mon Sep 17 00:00:00 2001
From: Kellen Murphy <me@kellenmurphy.com>
Date: Wed, 3 Jun 2026 17:43:43 -0400
Subject: [PATCH] fix(ci): drop unused deployments:write permission from deploy
 job
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scorecard Token-Permissions (code-scanning alert #15) flagged the deploy
job's job-level `deployments: write`. No step uses GitHub's Deployments
API — the `environment: production` record is created by GitHub itself,
and wrangler-action deploys to Cloudflare Pages without touching it. The
remaining id-token/attestations writes are required by attest-build-provenance.
---
 .github/workflows/ci.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 130b468..3cb650f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -143,7 +143,6 @@ jobs:
         environment: production
         permissions:
             contents: read
-            deployments: write
             id-token: write
             attestations: write
         steps: