From 1dc3139fcd17e49bc0823ad63b2f086ccf034e81 Mon Sep 17 00:00:00 2001
From: Erica Portnoy <erica@eff.org>
Date: Tue, 12 May 2026 11:20:22 -0700
Subject: [PATCH] gh api needs github token

---
 .github/workflows/nightly.yml        | 3 ++-
 .github/workflows/notify_nightly.yml | 6 +++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index d7596b68b..4942ba706 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -118,6 +118,7 @@ jobs:
     # jobs, failure() returns true if any ancestor job fails.
     if: failure() && (needs.re-run.result == 'skipped' || needs.re-run.result == 'failure')
     uses: "./.github/workflows/notify_nightly.yml"
-    permissions: {}
+    permissions:
+      actions: read
     secrets:
       MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK: "${{ secrets.MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK }}"
diff --git a/.github/workflows/notify_nightly.yml b/.github/workflows/notify_nightly.yml
index 8657dadfc..7ba45600a 100644
--- a/.github/workflows/notify_nightly.yml
+++ b/.github/workflows/notify_nightly.yml
@@ -6,11 +6,15 @@ on:
       MATTERMOST_PUBLIC_CERTBOT_CHANNEL_WEBHOOK:
         required: true
 
-permissions: {}
+permissions:
+  actions: read
+
 jobs:
   notify_mattermost:
     name: Notify mattermost
     runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
     steps:
     # we pin this action to a version tested and audited by certbot's
     # maintainers for extra security. the full hash is used as doing so is