From da8daee4c50ce5a3100394deef4bb5b81e88964d Mon Sep 17 00:00:00 2001
From: Zdenko Kovac <zdenko.kovac@sap.com>
Date: Tue, 26 May 2026 21:21:06 +0200
Subject: [PATCH] chore(ci): declare explicit permissions for read-default
 rollout

The generate.yaml workflow runs 'git push' using the default GITHUB_TOKEN
provided by actions/checkout. Once the org-wide flip to read-default
GITHUB_TOKEN lands, that push will fail unless the workflow explicitly
declares contents: write.

This narrows the token's effective scope (was implicit write-everything;
becomes read all + write contents) without changing happy-path behavior.
---
 .github/workflows/generate.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/generate.yaml b/.github/workflows/generate.yaml
index 301dfcb..8ba2feb 100644
--- a/.github/workflows/generate.yaml
+++ b/.github/workflows/generate.yaml
@@ -3,6 +3,9 @@ name: Update generated artifacts
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 defaults:
   run:
     shell: bash