From 581183e908945a6e5523fa7987504f4073c418f5 Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Tue, 17 Mar 2026 10:36:22 -0700
Subject: [PATCH] Fix release workflow permissions for CI reusable workflow
 call

The top-level permissions block in release.yml was capping permissions
to `contents: read`, which blocked the called ci.yml workflow from
requesting `actions: read` and `security-events: write` needed for
CodeQL scanning.

Change-Type: ci
Release-Note: no
Audience: internal
Impact: none
Breaking: false
Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index acdd316..db6c337 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,8 @@ on:
 
 permissions:
   contents: read
+  actions: read
+  security-events: write
 
 jobs:
   ci: