ci: verify-assets needs contents:write to read draft releases

gh release download 404s ("release not found") on a draft tag when the token is contents:read — GitHub only shows drafts to tokens with push access. The workflow still only reads assets; the scope bump is purely for draft visibility.
2026-06-09 12:29:35 +02:00
parent 86a04d2d34
commit 7260f461bb
1 changed files with 5 additions and 1 deletions
@@ -23,7 +23,11 @@ on:
        required: true

 permissions:
-  contents: read
+  # write (not read) is required: GitHub only exposes DRAFT releases to tokens
+  # with push access. With contents:read, `gh release download` on a draft tag
+  # 404s ("release not found"). This workflow only READS assets — the elevated
+  # scope is solely to make draft releases visible to GITHUB_TOKEN.
+  contents: write

 jobs:
  drive: