fix(CI): Grant action content write permission for release upload

By default our organization on GH only grants a more restricted read permission to actions for content APIs, which include both writing to repo for nightly tag creation, and writing to releases for nightly and tag release creation or updates.
Talkless · Feb 17, 2022 · 1bc72ab · 1bc72ab
1 parent b657fa2
commit 1bc72ab
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml
@@ -5,6 +5,8 @@ jobs:
     name: Update nightly release tag
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    permissions:
+        contents: write
     steps:
       - uses: actions/checkout@v2
       - name: Move nightly tag to head for nightly release
@@ -203,6 +205,8 @@ jobs:
       needs.build-ubuntu-lts-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/load-docker-image
@@ -256,6 +260,8 @@ jobs:
       needs.build-flatpak-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+        contents: write
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/load-docker-image
@@ -308,6 +314,8 @@ jobs:
       needs.build-windows-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+        contents: write
     strategy:
       matrix:
         build_type: [debug, release]
@@ -378,6 +386,8 @@ jobs:
       needs.build-windows-i686-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     strategy:
       matrix:
         build_type: [debug, release]
@@ -447,6 +457,8 @@ jobs:
       always() &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     env:
       TRAVIS: true
       TRAVIS_BUILD_DIR: ${{ github.workspace }}