From 223701d4eccfe9d4d31b25d8cec3f9131811e162 Mon Sep 17 00:00:00 2001
From: Ygal Blum <ygal.blum@gmail.com>
Date: Fri, 27 Mar 2026 09:30:58 -0400
Subject: [PATCH] Fix release workflow permissions for reusable workflow call

Move contents: write permission from the called workflow (release.yaml)
to the caller (tag-release.yaml), since reusable workflows cannot escalate
beyond the caller permissions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ygal Blum <ygal.blum@gmail.com>
---
 .github/workflows/release.yaml     | 3 ---
 .github/workflows/tag-release.yaml | 3 +++
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index bec3301..bc8d66d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,9 +3,6 @@ name: Release
 on:
   workflow_call:
 
-permissions:
-  contents: write
-
 jobs:
   release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tag-release.yaml b/.github/workflows/tag-release.yaml
index 39c17f7..2450fa6 100644
--- a/.github/workflows/tag-release.yaml
+++ b/.github/workflows/tag-release.yaml
@@ -5,6 +5,9 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: write
+
 jobs:
   ci:
     uses: ./.github/workflows/ci.yaml