github-action: add artifact-metadata permission for attestations (#545)

v1v · web-flow · commit e5480ff35c39 · 2026-01-26T09:33:22.000+01:00
## Details ⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️ The attestations permission is necessary to persist the attestation. The artifact-metadata permission is required to generate artifact metadata storage records. This change adds `artifact-metadata: write` permission to workflows that have `attestations: write` permission, as required by the actions/attest-build-provenance action. See: * https://github.com/marketplace/actions/attest-build-provenance#usage * https://github.blog/changelog/2026-01-20-strengthen-your-supply-chain-with-code-to-cloud-traceability-and-slsa-build-level-3-security/ If there are any questions, please reach out to the @elastic/observablt-ci
diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml
@@ -14,10 +14,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
+      artifact-metadata: write
+      attestations: write
       contents: write
       id-token: write
       packages: write
-      attestations: write
     steps:
     - uses: actions/checkout@v6
     - name: Bootstrap Action Workspace
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,10 +13,11 @@ jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
+      artifact-metadata: write
+      attestations: write
       contents: write
       id-token: write
       issues: write
-      attestations: write
     steps:
     - uses: actions/checkout@v6
     - name: Bootstrap Action Workspace
