From 6a05b9eec5d83f39e021e675d9f055724441c74e Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 27 Apr 2026 04:27:42 +0100
Subject: [PATCH] ci: fix package acceptance permissions

---
 .github/workflows/package-acceptance.yml         | 1 +
 test/scripts/package-acceptance-workflow.test.ts | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/package-acceptance.yml b/.github/workflows/package-acceptance.yml
index 5ec2d0c76b1..09d96e50492 100644
--- a/.github/workflows/package-acceptance.yml
+++ b/.github/workflows/package-acceptance.yml
@@ -73,6 +73,7 @@ permissions:
   actions: read
   contents: read
   packages: write
+  pull-requests: read
 
 concurrency:
   group: package-acceptance-${{ github.run_id }}
diff --git a/test/scripts/package-acceptance-workflow.test.ts b/test/scripts/package-acceptance-workflow.test.ts
index 5f7cd12731b..e802dc0bc5e 100644
--- a/test/scripts/package-acceptance-workflow.test.ts
+++ b/test/scripts/package-acceptance-workflow.test.ts
@@ -19,6 +19,7 @@ describe("package acceptance workflow", () => {
     expect(workflow).toContain("scripts/resolve-openclaw-package-candidate.mjs");
     expect(workflow).toContain('gh run download "$ARTIFACT_RUN_ID"');
     expect(workflow).toContain("name: ${{ env.PACKAGE_ARTIFACT_NAME }}");
+    expect(workflow).toContain("pull-requests: read");
     expect(workflow).toContain(
       "uses: ./.github/workflows/openclaw-live-and-e2e-checks-reusable.yml",
     );