fix(ci): provide necessary permissions for calling workflow

Also error on the side of security adding an extra check on the
automatic PR step.

2 files changed, 4 insertions, 1 deletions

diff --git a/.github/workflows/api-docs-check.yml b/.github/workflows/api-docs-check.yml
index 8ae6e6ff92..bcbc631172 100644
--- a/.github/workflows/api-docs-check.yml
+++ b/.github/workflows/api-docs-check.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   call-regen-api-docs:
     if: github.event.pull_request.draft == false
+    permissions:
+      contents: write
+      pull-requests: write
     uses: ./.github/workflows/api-docs.yml
     with:
       check_only: true
diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml
index 36ac087c4a..7550af6fef 100644
--- a/.github/workflows/api-docs.yml
+++ b/.github/workflows/api-docs.yml
@@ -60,7 +60,7 @@ jobs:
           exit 1
 
       - name: Automatic PR
-        if: ${{ steps.docs.outputs.UPDATED_DOCS != 0 }}
+        if: ${{ steps.docs.outputs.UPDATED_DOCS != 0 && !inputs.check_only }}
         run: |
           git add -u
           git commit -m 'docs: regenerate [skip ci]'