From 5322b2f41dd6be8aafa6d5da2916813978eba5db Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 14 May 2026 11:37:37 +0900 Subject: [PATCH 1/2] ci: declare contents:write on Release workflow's release job The release job runs `gh release create` with the implicit GITHUB_TOKEN to attach helm chart tarballs and the aigw binaries as release assets. The releases/upload-asset API needs contents:write. The block sits on the `release` job rather than at workflow scope to avoid intersecting with the docker_push reusable workflow caller (`./.github/workflows/docker_build_job.yaml`), which has its own permissions story for the DockerHub push path. Style matches the per-job permissions blocks already used by codeql.yaml (actions:read, contents:read, security-events:write) and the workflow-level block in build_and_test.yaml (contents:read + packages:write + id-token:write). Signed-off-by: Arpit Jain --- .github/workflows/release.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ff020bb28f..271915e39d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,6 +14,8 @@ jobs: needs: [docker_push] name: Release runs-on: ubuntu-latest + permissions: + contents: write # gh release create requires releases:write steps: - name: Set HELM_CHART_VERSION and TAG envs run: | From ba2f2f441290616279c0566daa65225a9cd4f912 Mon Sep 17 00:00:00 2001 From: Ignasi Barrera Date: Tue, 2 Jun 2026 18:35:16 +0200 Subject: [PATCH 2/2] Update .github/workflows/release.yaml Signed-off-by: Ignasi Barrera --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 271915e39d..86e2528669 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ jobs: name: Release runs-on: ubuntu-latest permissions: - contents: write # gh release create requires releases:write + contents: write # gh release create requires contents:write steps: - name: Set HELM_CHART_VERSION and TAG envs run: |