From 8a2dafbd4d2178460a1762b7b51c6597bda994d5 Mon Sep 17 00:00:00 2001
From: Chun-Heng Tai <chtai@google.com>
Date: Thu, 19 Mar 2026 13:13:53 -0700
Subject: [PATCH] [ci] add more permissions for create-pull-request

---
 .github/workflows/batch_release_pr.yml | 4 +++-
 .github/workflows/sync_release_pr.yml  | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/batch_release_pr.yml b/.github/workflows/batch_release_pr.yml
index 43d84564242..03255791221 100644
--- a/.github/workflows/batch_release_pr.yml
+++ b/.github/workflows/batch_release_pr.yml
@@ -45,7 +45,9 @@ jobs:
     if: needs.create_batch_release_branch.outputs.branch_created == 'true'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write # Grants write permission to create a PR.
+      # The create-pull-request action needs both content and pull-requests permissions.
+      pull-requests: write
+      contents: write
     env:
       BRANCH_NAME: ${{ github.event.client_payload.package }}-${{ github.run_id }}-${{ github.run_attempt }}
     steps:
diff --git a/.github/workflows/sync_release_pr.yml b/.github/workflows/sync_release_pr.yml
index a53436ce0ff..6cb19bb4edb 100644
--- a/.github/workflows/sync_release_pr.yml
+++ b/.github/workflows/sync_release_pr.yml
@@ -9,6 +9,10 @@ on:
 jobs:
   create_sync_pr:
     runs-on: ubuntu-latest
+    permissions:
+      # The create-pull-request action needs both content and pull-requests permissions.
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd