From 4dbe77d0cd529aaa95305b13b1c96f2ef5bae273 Mon Sep 17 00:00:00 2001
From: Stefan Hattrell <29941279+digorgonzola@users.noreply.github.com>
Date: Tue, 27 Feb 2024 17:58:14 +1100
Subject: [PATCH] trigger_deploy.yml: fix permissions and allow empty value for
 digest

---
 .github/workflows/trigger_deploy.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/trigger_deploy.yml b/.github/workflows/trigger_deploy.yml
index b4d9024..004c626 100644
--- a/.github/workflows/trigger_deploy.yml
+++ b/.github/workflows/trigger_deploy.yml
@@ -16,7 +16,7 @@ on:
           - staging
           - production
       digest:
-        required: true
+        required: false
         description: The image digest to pass to the deploy job.
         type: string
   workflow_call:
@@ -25,12 +25,16 @@ on:
         required: true
         type: string
       digest:
-        required: true
+        required: false
         type: string
       environment:
         required: true
         type: string
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   trigger_deploy:
     runs-on: ubuntu-latest
@@ -44,6 +48,7 @@ jobs:
           role-to-assume: ${{ vars.AWS_ROLE_ARN }}
 
       - name: Push Image Digest to SSM
+        if: ${{ inputs.digest != '' }}
         run: |
           aws ssm put-parameter \
             --name "/apps/${{ inputs.app_name }}/${{ inputs.environment }}/image_digest" \