From 8d8aabb88490672c156fc688e7823140681497d0 Mon Sep 17 00:00:00 2001 From: Zanie Blue Date: Thu, 20 Nov 2025 16:38:19 -0600 Subject: [PATCH] Add read permissions to `publish-crates` job (#16797) --- .github/workflows/release.yml | 3 +-- dist-workspace.toml | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1de58b1c8..c87879340 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -233,8 +233,7 @@ jobs: secrets: inherit # publish jobs get escalated permissions permissions: - "id-token": "write" - "packages": "write" + "contents": "read" # Create a GitHub Release while uploading all files to it announce: diff --git a/dist-workspace.toml b/dist-workspace.toml index 5380d188d..d6191b07a 100644 --- a/dist-workspace.toml +++ b/dist-workspace.toml @@ -61,7 +61,7 @@ publish-jobs = ["./publish-pypi", "./publish-crates"] # Post-announce jobs to run in CI post-announce-jobs = ["./publish-docs"] # Custom permissions for GitHub Jobs -github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" } } +github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" }, "publish-crates" = { contents = "read" } } # Whether to install an updater program install-updater = false # Path that installers should place binaries in