From 1bc72ab1a476e8eb9ca3c58e01515421ab1c29f4 Mon Sep 17 00:00:00 2001
From: Anthony Bilinski <me@abilinski.com>
Date: Mon, 10 Jan 2022 00:01:32 -0800
Subject: [PATCH] fix(CI): Grant action content write permission for release
 upload

By default our organization on GH only grants a more restricted read
permission to actions for content APIs, which include both writing to
repo for nightly tag creation, and writing to releases for nightly and
tag release creation or updates.
---
 .github/workflows/build-test-deploy.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build-test-deploy.yaml b/.github/workflows/build-test-deploy.yaml
index 8d54a2164..7d2e5bcf4 100644
--- a/.github/workflows/build-test-deploy.yaml
+++ b/.github/workflows/build-test-deploy.yaml
@@ -5,6 +5,8 @@ jobs:
     name: Update nightly release tag
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    permissions:
+        contents: write
     steps:
       - uses: actions/checkout@v2
       - name: Move nightly tag to head for nightly release
@@ -203,6 +205,8 @@ jobs:
       needs.build-ubuntu-lts-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/load-docker-image
@@ -256,6 +260,8 @@ jobs:
       needs.build-flatpak-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+        contents: write
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/actions/load-docker-image
@@ -308,6 +314,8 @@ jobs:
       needs.build-windows-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+        contents: write
     strategy:
       matrix:
         build_type: [debug, release]
@@ -378,6 +386,8 @@ jobs:
       needs.build-windows-i686-docker.result == 'success' &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     strategy:
       matrix:
         build_type: [debug, release]
@@ -447,6 +457,8 @@ jobs:
       always() &&
       (needs.update-nightly-tag.result == 'success' ||
         needs.update-nightly-tag.result == 'skipped')
+    permissions:
+      contents: write
     env:
       TRAVIS: true
       TRAVIS_BUILD_DIR: ${{ github.workspace }}