From 88391da1c0c04ba9e12630b6b5cb9ffb8edbcf62 Mon Sep 17 00:00:00 2001
From: Victor Martinez <VictorMartinezRubio@gmail.com>
Date: Wed, 11 Feb 2026 11:21:30 +0100
Subject: [PATCH] ci: support provenance, store a different folder and use
 least-permissive access

---
 .github/workflows/release.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e8c7709b..720953a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,13 +12,17 @@ env:
   DOCKER_IMAGE_NAME: observability/apm-lambda-extension
 
 permissions:
-  contents: write
-  id-token: write
-  pull-requests: read
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      artifact-metadata: write
+      contents: write
+      id-token: write
+      pull-requests: read
     steps:
       - uses: actions/checkout@v6
         with:
@@ -65,7 +69,7 @@ jobs:
         if: always()
         with:
           name: aws
-          path: ".aws*/**/*"
+          path: ".aws-linux*/"
           retention-days: 5
 
       - name: generate build provenance (binaries)