From 9bef9062c216b731560c5a1ce0fba9ac575123a5 Mon Sep 17 00:00:00 2001 From: Arpit Jain Date: Thu, 14 May 2026 11:36:06 +0900 Subject: [PATCH] ci: declare workflow-scope permissions on attach-release-artifacts and sonarcloud attach-release-artifacts uses `gh release upload` with GITHUB_TOKEN to attach a packaged cursor-rules zip to the published release; the release/upload-asset API call requires contents:write. sonarcloud runs SonarSource/sonarqube-scan-action against the main branch. The action only reads the repo + sends results to SonarCloud via SONAR_TOKEN. contents:read covers the actions/checkout call; no GitHub API write is needed for the scan itself. Style matches the workflow-level permissions block already in publish-library.yml, publish-s2-library.yml, publish-prod-storybook.yml, publish-s2-storybook.yml, and pr-checks.yml. Signed-off-by: Arpit Jain --- .github/workflows/attach-release-artifacts.yml | 3 +++ .github/workflows/sonarcloud.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/attach-release-artifacts.yml b/.github/workflows/attach-release-artifacts.yml index 8778d9f94..9c0325116 100644 --- a/.github/workflows/attach-release-artifacts.yml +++ b/.github/workflows/attach-release-artifacts.yml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: write # gh release upload requires releases write + jobs: attach-artifacts: runs-on: ubuntu-latest diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 59d8018d2..3ac009281 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest