grafana · martincostello · Nov 21, 2025 · Copilot · Nov 21, 2025
diff --git a/.github/workflows/ghcr-image-build-and-publish.yml b/.github/workflows/ghcr-image-build-and-publish.yml
@@ -104,3 +104,20 @@ jobs:
           DIGEST: ${{ steps.push.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes "{}@${DIGEST}"
+
+  test-permissions:
+    runs-on: [ubuntu-latest]
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Get GitHub token
+        id: get-token
+        uses: grafana/shared-workflows/actions/create-github-app-token@ae92934a14a48b94494dbc06d74a81d47fe08a40 # v0.2.2
+        with:
+          github_app: grafana-otel-bot
+          permission_set: default
+      - name: Show token permissions
+        run: |
+          echo "${{ steps.get-token.outputs.token }}" | gh auth login --with-token
-        run: |
-          echo "${{ steps.get-token.outputs.token }}" | gh auth login --with-token
+        env:
+          GH_TOKEN: ${{ steps.get-token.outputs.token }}
+        run: |
-        run: |
-          echo "${{ steps.get-token.outputs.token }}" | gh auth login --with-token
+        env:
+          GH_TOKEN: ${{ steps.get-token.outputs.token }}
+        run: |
+          gh auth status