ci: Add OIDC permissions and flake-checker-action

lambdalisue · lambdalisue · commit 481e2f6ab7ed · 2025-11-30T20:43:43.000+09:00
diff --git a/.github/workflows/build.echo-graphql.yml b/.github/workflows/build.echo-graphql.yml
@@ -17,28 +17,40 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/flake-checker-action@main
       - run: nix develop -c just echo-graphql::lint
       - run: nix develop -c just echo-graphql::fmt
       - run: git diff --exit-code
 
   test:
     needs: check
     runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/flake-checker-action@main
       - run: nix develop -c just echo-graphql::test
 
   build:
     needs: check
     runs-on: ubuntu-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: DeterminateSystems/flake-checker-action@main
       - run: nix develop -c just echo-graphql::build
