security: designate privileges for release workflow

sheldonhull · sheldonhull · commit 2d3e2972dbc0 · 2025-01-22T17:37:07.000-06:00
diff --git a/.changes/v0.2.1.md b/.changes/v0.2.1.md
@@ -0,0 +1,3 @@
+## v0.2.1 - 2025-01-22
+
+- _security_: Improve release workflow with designated permissions in the reusable template.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,8 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html),
 and is generated by [Changie](https://github.com/miniscruff/changie).
 
+## v0.2.1 - 2025-01-22
+
+- _security_: Improve release workflow with designated permissions in the reusable template.
 ## v0.2.0 - 2024-10-07
 
 - _new-product-feature_: Improve linting with additional job that validates changie entry exists when it should be included. Certain exclusions are added such as labels for `dependencies` by Renovate, and `no-changie-required` label for exceptions. This will use PR comment type so automatic changes required will show up.
@@ -68,3 +71,4 @@ This is done to help the development effort to bump a release based on dependenc
 - Add new template for annotations based on trunk result.
   This will eventually run seperately from trunk to allow forks to securely be annotated as well.
   At this time it's just a unused template.
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## v0.2.1 - 2025-01-22`
	`2`	`+`
	`3`	`+- _security_: Improve release workflow with designated permissions in the reusable template.`