From c7457495165f8d67edbbc59aee8ff94c0bec9d78 Mon Sep 17 00:00:00 2001
From: Zdenko Kovac <zdenko.kovac@sap.com>
Date: Tue, 26 May 2026 21:23:49 +0200
Subject: [PATCH] chore(ci): declare explicit permissions for read-default
 rollout

The publish-clm.yaml and publish-scaffold.yaml workflows upload release
binaries via curl using the default GITHUB_TOKEN. Once the org-wide flip
to read-default GITHUB_TOKEN lands, the asset upload requests will 403
unless the workflows explicitly declare contents: write.

This narrows the token's effective scope (was implicit write-everything;
becomes contents:write only) without changing happy-path behavior.
---
 .github/workflows/publish-clm.yaml      | 3 +++
 .github/workflows/publish-scaffold.yaml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/publish-clm.yaml b/.github/workflows/publish-clm.yaml
index e7ffc0f9..a4457095 100644
--- a/.github/workflows/publish-clm.yaml
+++ b/.github/workflows/publish-clm.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash
diff --git a/.github/workflows/publish-scaffold.yaml b/.github/workflows/publish-scaffold.yaml
index c3430643..bbcb2743 100644
--- a/.github/workflows/publish-scaffold.yaml
+++ b/.github/workflows/publish-scaffold.yaml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash