From 93b3e5f36796b3498c4da5ffa4601168121a11eb Mon Sep 17 00:00:00 2001
From: Vlada Dusek <v.dusek96@gmail.com>
Date: Mon, 25 May 2026 17:50:22 +0200
Subject: [PATCH] ci: Grant `checks: read` to remaining reusable-workflow
 callers

Every job that calls `manual_release_docs.yaml` or `manual_version_docs.yaml`
must explicitly grant `checks: read`, since reusable workflows are capped at
the permissions the caller declares. Covers the doc release in the beta
flow and both docs jobs in the stable release flow.
---
 .github/workflows/manual_release_beta.yaml   | 1 +
 .github/workflows/manual_release_stable.yaml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.github/workflows/manual_release_beta.yaml b/.github/workflows/manual_release_beta.yaml
index 207638066e..062ac1b3c8 100644
--- a/.github/workflows/manual_release_beta.yaml
+++ b/.github/workflows/manual_release_beta.yaml
@@ -104,5 +104,6 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit
diff --git a/.github/workflows/manual_release_stable.yaml b/.github/workflows/manual_release_stable.yaml
index d1448df0d2..0e35ab2fc0 100644
--- a/.github/workflows/manual_release_stable.yaml
+++ b/.github/workflows/manual_release_stable.yaml
@@ -138,6 +138,7 @@ jobs:
     needs: [release_prepare, changelog_update, pypi_publish]
     permissions:
       contents: write
+      checks: read
     uses: ./.github/workflows/manual_version_docs.yaml
     with:
       # Pass the bumped version explicitly — the job's checkout uses the dispatch ref (pre-bump),
@@ -152,5 +153,6 @@ jobs:
       contents: write
       pages: write
       id-token: write
+      checks: read
     uses: ./.github/workflows/manual_release_docs.yaml
     secrets: inherit