Add read permissions to `publish-crates` job (#16797)

2025-11-20 16:38:19 -06:00 · 2025-11-20 16:38:19 -06:00 · 8d8aabb884
parent f2e92b4bfb
commit 8d8aabb884
2 changed files with 2 additions and 3 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -233,8 +233,7 @@ jobs:
    secrets: inherit
    # publish jobs get escalated permissions
    permissions:
-      "id-token": "write"
-      "packages": "write"
+      "contents": "read"

  # Create a GitHub Release while uploading all files to it
  announce:
--- a/dist-workspace.toml
+++ b/dist-workspace.toml
@ -61,7 +61,7 @@ publish-jobs = ["./publish-pypi", "./publish-crates"]
 # Post-announce jobs to run in CI
 post-announce-jobs = ["./publish-docs"]
 # Custom permissions for GitHub Jobs
-github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" } }
+github-custom-job-permissions = { "build-docker" = { packages = "write", contents = "read", id-token = "write", attestations = "write" }, "publish-crates" = { contents = "read" } }
 # Whether to install an updater program
 install-updater = false
 # Path that installers should place binaries in