From 6e61eaeb36ac2918f886cc04800397abf07591ff Mon Sep 17 00:00:00 2001
From: Evgeni Golov <evgeni@golov.de>
Date: Tue, 17 Jun 2025 10:20:26 +0200
Subject: [PATCH] allow create-branch and create-gh-release workflows to write
 contents
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When repositories default to read-only workflow permissions¹, the
creation of the branch fails as it needs write permissions.

¹: This can be set in {repo}/settings/actions in the UI
---
 templates/github/.github/workflows/create-branch.yml.j2 | 3 +++
 templates/github/.github/workflows/publish.yml.j2       | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/templates/github/.github/workflows/create-branch.yml.j2 b/templates/github/.github/workflows/create-branch.yml.j2
index 03e4aa8f..bcb558c7 100644
--- a/templates/github/.github/workflows/create-branch.yml.j2
+++ b/templates/github/.github/workflows/create-branch.yml.j2
@@ -20,6 +20,9 @@ jobs:
     strategy:
       fail-fast: false
 
+    permissions:
+      contents: write
+
     steps:
       {{ checkout(depth=0, path=plugin_name) | indent(6) }}
 
diff --git a/templates/github/.github/workflows/publish.yml.j2 b/templates/github/.github/workflows/publish.yml.j2
index 7d1d3462..c95d2834 100644
--- a/templates/github/.github/workflows/publish.yml.j2
+++ b/templates/github/.github/workflows/publish.yml.j2
@@ -139,6 +139,9 @@ jobs:
       {%- endif %}
       {%- endif %}
 
+    permissions:
+      contents: write
+
     steps:
       - name: "Create release on GitHub"
         uses: "actions/github-script@v7"