From 21a01e52d3711c108b2d0b0bfa4de6072282bb3f Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 30 Apr 2026 09:45:30 +0200 Subject: [PATCH 1/2] ci(release): grant SLSA provenance permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Required by netresearch/skill-repo-skill/.github/workflows/release.yml, which generates SLSA build-provenance attestations for release archives via actions/attest-build-provenance. The reusable workflow's attest job needs id-token: write (OIDC for sigstore) and attestations: write (GitHub native attestation API) on the calling job. Also drops pull-requests: write — the reusable workflow doesn't touch the pulls API; it was over-privileging. --- .github/workflows/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 13d77d1..ecf7a07 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,5 +21,6 @@ jobs: with: bump: ${{ inputs.bump }} permissions: - contents: write - pull-requests: write + contents: write # release upload + id-token: write # OIDC for sigstore (required by the attest job) + attestations: write # GitHub native attestation API (required by the attest job) \ No newline at end of file From 825fb99d99ae6c1ef65b7eab6ba36ef8b281553d Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Thu, 30 Apr 2026 09:59:43 +0200 Subject: [PATCH 2/2] ci(release): add trailing newline (yamllint fix) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ecf7a07..9eb6647 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,4 +23,4 @@ jobs: permissions: contents: write # release upload id-token: write # OIDC for sigstore (required by the attest job) - attestations: write # GitHub native attestation API (required by the attest job) \ No newline at end of file + attestations: write # GitHub native attestation API (required by the attest job)