From 42037c6530290e26a08627a249ee0b8e3da0eb25 Mon Sep 17 00:00:00 2001
From: Mara Nikola Kiefer <mnkiefer@github.com>
Date: Wed, 13 May 2026 21:27:51 +0200
Subject: [PATCH] ci: add missing permissions

---
 .github/workflows/ci.yml | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 848da20..1d43dcc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,12 +57,17 @@ jobs:
   run:
     runs-on: ubuntu-latest
     needs: [add]
+    permissions:
+      contents: write
+      actions: write
     if: >-
       github.event_name == 'schedule' ||
       (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.run_trials == 'true')
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          fetch-depth: 0
 
       - name: Set up gh-aw CLI
         uses: github/gh-aw-actions/setup-cli@f8495a686e66770ae977f82732f34d7340ee42a4 # setup-cli action pin (installs CLI v0.72.1 below)
@@ -70,27 +75,14 @@ jobs:
           version: v0.72.1
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install published workflows locally
+      - name: Run published workflows from temporary branch
         run: |
+          RUN_BRANCH="ci/aw-trials-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}"
+          git switch --create "$RUN_BRANCH"
+
           gh aw add "${{ github.workspace }}/workflows/copilot-token-audit.md" "${{ github.workspace }}/workflows/copilot-token-optimizer.md"
           gh aw compile
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push installed workflows to branch
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add .github/workflows/copilot-token-audit.md .github/workflows/copilot-token-audit.lock.yml
-          git add .github/workflows/copilot-token-optimizer.md .github/workflows/copilot-token-optimizer.lock.yml
-          git commit -m "ci: add published workflows for execution" || echo "Nothing to commit"
-          git push
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run published workflows
-        run: |
-          gh aw run copilot-token-audit --ref "${{ github.ref_name }}"
-          gh aw run copilot-token-optimizer --ref "${{ github.ref_name }}"
+          gh aw run copilot-token-audit copilot-token-optimizer --push --ref "$RUN_BRANCH"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}