Grant contents: write to release job so gh-release can publish

Tim-Butterfield · claude · Tim-Butterfield · commit 117328af802f · 2026-04-22T22:41:57.000-04:00
The softprops/action-gh-release@v2 action needs write access to the
repo's contents to create a release via the REST API. Since GitHub
tightened the default GITHUB_TOKEN permissions in 2023, the token now
arrives at each job with contents: read only. Scope contents: write to
the release job; build-and-test keeps default read-only permissions.

Fixes the 403 "Resource not accessible by integration" error that
blocked the v1.0.0 release workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -52,6 +52,15 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: windows-latest
 
+    # softprops/action-gh-release@v2 creates a GitHub Release for the
+    # pushed tag via the REST API, which requires write access to the
+    # repo's contents. The default GITHUB_TOKEN has read-only contents
+    # since GitHub tightened action token defaults in 2023, so we have
+    # to grant write explicitly here. Scoped to the release job only;
+    # build-and-test stays on default read-only permissions.
+    permissions:
+      contents: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
