From 0d6c3de4f5e8def2b3ad4fdd579a80bcc9e9aa2c Mon Sep 17 00:00:00 2001
From: Jacob Bolda <me@jacobbolda.com>
Date: Fri, 12 Jun 2026 23:08:53 -0500
Subject: [PATCH 1/2] only read perms needed

---
 .github/workflows/preview.yml | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 803de50..38df172 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -13,16 +13,10 @@ on:
         required: false
         type: string
 
-permissions: {}
-
 jobs:
   preview:
     if: github.repository_owner == 'bombshell-dev'
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

From 6ab8752cac06e39633db1ef805966009403334b5 Mon Sep 17 00:00:00 2001
From: Jacob Bolda <me@jacobbolda.com>
Date: Fri, 12 Jun 2026 23:09:18 -0500
Subject: [PATCH 2/2] use pnpm pack for preview assets

---
 .github/workflows/preview.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/preview.yml b/.github/workflows/preview.yml
index 38df172..8592c9a 100644
--- a/.github/workflows/preview.yml
+++ b/.github/workflows/preview.yml
@@ -41,4 +41,4 @@ jobs:
         env:
           TEMPLATE_GLOB: ${{ inputs.template }}
           PUBLISH_GLOB: ${{ inputs.publish }}
-        run: pnpx pkg-pr-new publish "$PUBLISH_GLOB" --template "$TEMPLATE_GLOB"
+        run: pnpx pkg-pr-new publish --pnpm "$PUBLISH_GLOB" --template "$TEMPLATE_GLOB"