From 2eff877338e2477a87b703aab18731e78a18faae Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Thu, 14 May 2026 17:02:31 -0400
Subject: [PATCH] fix release permissions to reach checks

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 .github/workflows/release.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index b9cd930..ae6779c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,15 +15,16 @@ on:
         required: true
 
 jobs:
-
   version-available:
     uses: anchore/workflows/.github/workflows/check-version-available.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
+    permissions:
+      contents: read # required for the reusable workflow to check out the repo and verify the version
     with:
       version: ${{ github.event.inputs.version }}
 
   check-gate:
     permissions:
-      checks: read   # required for getting the status of specific check names
+      checks: read # required for getting the status of specific check names
     uses: anchore/workflows/.github/workflows/check-gate.yaml@4f25313f96311410cad4173f74617654a3e46d48 # v0.3.0
     with:
       # these are checks that should be run on pull-request and merges to main.
@@ -33,15 +34,15 @@ jobs:
 
   release:
     needs: [check-gate, version-available]
-    environment: release  # contains secrets needed for release
+    environment: release # contains secrets needed for release
     runs-on: ubuntu-24.04
     permissions:
-      contents: write   # needed for creating github release objects
+      contents: write # needed for creating github release objects
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
-          fetch-depth: 0  # we need the full history to reason about changelogs and tags
-          persist-credentials: true  # needed for pushing a tag
+          fetch-depth: 0 # we need the full history to reason about changelogs and tags
+          persist-credentials: true # needed for pushing a tag
 
       # setup checkout, go, go-make, binny, and cache go modules
       - uses: anchore/go-make/.github/actions/setup@383ef7852b8ae43a30f424896b52479186d2ea4d # v0.1.0