From 8a0a5cc50a542beafe1d36fb9a3525f10e459d9b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 23 Feb 2026 10:54:23 +0000
Subject: [PATCH 1/2] Fix release job: grant contents write permission

The rake release task (from bundler/gem_tasks) pushes to git after
building the gem. The release job only had contents: read, causing a
403 error. Changed to contents: write so the git push succeeds.

https://claude.ai/code/session_01CvCNpdSjh1STBdmS9n5DN9
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0f1e8a1..6013a8d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -61,7 +61,7 @@ jobs:
     needs: [bump]
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       id-token: write
 
     steps:

From 82a68db117073c96690af824b1e8159f72ebae75 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 23 Feb 2026 10:57:39 +0000
Subject: [PATCH 2/2] Restrict release workflow to main branch only

Add branches filter so tag pushes from non-main branches
don't trigger a release.

https://claude.ai/code/session_01CvCNpdSjh1STBdmS9n5DN9
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6013a8d..f348a91 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on:
   push:
     tags:
       - "v*"
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       bump: