From cd5148184b810c7e6bc522d64cfb8a7a882e6cf5 Mon Sep 17 00:00:00 2001
From: Shunichi Shinohara <shino.shun@gmail.com>
Date: Mon, 11 May 2026 14:46:54 +0900
Subject: [PATCH] fix(ci/release): grant contents:write to goreleaser job

The default GITHUB_TOKEN permissions are read-only in many repo/org
configurations, which makes the goreleaser action fail at the "scm
releases" step with `403 Resource not accessible by integration`
when trying to PATCH the GitHub Release.

Deny everything at the workflow level (`permissions: {}`) and grant
`contents: write` only to the goreleaser job, following the
least-privilege principle. Mirrors vulsio/go-cpe-dictionary#275.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/goreleaser.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 83891f7..df4f954 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -5,9 +5,13 @@ on:
     tags:
       - '*'
 
+permissions: {}
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       -
         name: Checkout