From 87bb05d3b2169002e3358bd56eebbd36c43add02 Mon Sep 17 00:00:00 2001
From: Victor Zverovich <victor.zverovich@gmail.com>
Date: Tue, 9 Jun 2026 07:40:36 +0200
Subject: [PATCH] Fix release workflow startup failure from insufficient
 permissions

The provenance job called the SLSA generator with contents: read, but the
generator's upload-assets job declares contents: write. A reusable
workflow's job permissions may not exceed the caller's, so GitHub failed
the run at startup. Grant contents: write; the upload-assets job is still
skipped at runtime since upload-assets is false.
---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8b5aa3db..4eecf05c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -87,7 +87,10 @@ jobs:
     permissions:
       actions: read
       id-token: write
-      contents: read
+      # contents: write is required because the generator's (skipped)
+      # upload-assets job declares it, and a reusable workflow's job
+      # permissions may not exceed the caller's, or the run fails at startup.
+      contents: write
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: ${{ needs.build.outputs.hashes }}