fix: add contents: write permission to publish workflow build job

[Copilot]

The build job in the NuGet publish workflow inherits contents: read from the top-level permissions block, causing github-actions[bot] to receive a 403 when alirezanet/publish-nuget attempts to push release tags (e.g. v2.19.0-preview3).

Changes

• .github/workflows/publush.yml — add job-level permissions: contents: write to the build job, overriding the top-level contents: read only where tag pushes are needed

jobs:
   build:
      runs-on: ubuntu-latest
      environment: nuget
      permissions:
         contents: write   # allows github-actions[bot] to push release tags

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• I have performed a self-review of my code
• I have added tests that prove my fix is effective or that my feature works
• I have made corresponding changes to the documentation
• I have commented my code, particularly in hard-to-understand areas
• New and existing unit tests pass locally with my changes

Original prompt

Problem

The CI/CD job that creates and pushes NuGet release tags (e.g. v2.19.0-preview3) is failing with a 403 error:

remote: Permission to alirezanet/Gridify.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/alirezanet/Gridify/': The requested URL returned error: 403

The root cause is that the build job in .github/workflows/publush.yml does not have contents: write permission. The top-level permissions block sets contents: read, and there is no job-level override to elevate it to write. As a result, github-actions[bot] is denied when trying to push a tag back to the repository.

Fix

In .github/workflows/publush.yml, add a permissions block to the build job that sets contents: write. This overrides the top-level contents: read for that specific job and allows github-actions[bot] to push tags.

Current file (.github/workflows/publush.yml):

permissions:
   contents: read

jobs:
   build:
      runs-on: ubuntu-latest
      environment: nuget
      # ← no permissions block here; inherits contents: read → tag push fails
      env:
         HUSKY: 0
      steps:
        ...

Required change:

Add permissions: contents: write to the build job:

permissions:
   contents: read

jobs:
   build:
      runs-on: ubuntu-latest
      environment: nuget
      permissions:
         contents: write   # ← add this so github-actions[bot] can push tags
      env:
         HUSKY: 0
      steps:
        ...

The BlobSha of the current file is 6f5645397fc1d4b0a5b453b54ca8377be3d63fc6.

Please make only this targeted change to .github/workflows/publush.yml and open a pull request against master.

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.