From 978fb0c683908a0e51e363b074a70e736f9806d4 Mon Sep 17 00:00:00 2001 From: William Phetsinorath Date: Sun, 19 Apr 2026 03:44:34 +0200 Subject: [PATCH 1/2] Update [ghstack-poisoned] --- .github/workflows/release.yaml | 1 + modules/devenv/integrations/github/release.nix | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5da1436..4a724b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -36,6 +36,7 @@ jobs: - nix permissions: contents: write + packages: write runs-on: ubuntu-slim steps: - id: createGithubAppToken diff --git a/modules/devenv/integrations/github/release.nix b/modules/devenv/integrations/github/release.nix index 485f247..a55aff0 100644 --- a/modules/devenv/integrations/github/release.nix +++ b/modules/devenv/integrations/github/release.nix @@ -36,7 +36,10 @@ in "if" = "(startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'workflow_dispatch' && startsWith(github.event.inputs.ref_name, 'v'))"; runs-on = "ubuntu-slim"; - permissions.contents = "write"; + permissions = { + contents = "write"; + packages = "write"; + }; steps = [ { continue-on-error = true; From b9417f791dce21c9a8a781ca9b1faa099ea98a23 Mon Sep 17 00:00:00 2001 From: William Phetsinorath Date: Sun, 19 Apr 2026 03:46:02 +0200 Subject: [PATCH 2/2] Update [ghstack-poisoned] --- .github/workflows/release.yaml | 4 +++- modules/devenv/integrations/github/nix.nix | 4 ++++ modules/devenv/integrations/github/release.nix | 5 +---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4a724b0..66d0ccc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -22,6 +22,9 @@ permissions: required: true jobs: nix: + permissions: + contents: read + packages: write secrets: CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} OPERATOR_PRIVATE_KEY: ${{ secrets.OPERATOR_PRIVATE_KEY }} @@ -36,7 +39,6 @@ jobs: - nix permissions: contents: write - packages: write runs-on: ubuntu-slim steps: - id: createGithubAppToken diff --git a/modules/devenv/integrations/github/nix.nix b/modules/devenv/integrations/github/nix.nix index dccf414..1d3b179 100644 --- a/modules/devenv/integrations/github/nix.nix +++ b/modules/devenv/integrations/github/nix.nix @@ -309,6 +309,10 @@ in jobs = { nix = { uses = "./.github/workflows/nix.yaml"; + permissions = { + contents = "read"; + packages = "write"; + }; secrets = { OPERATOR_PRIVATE_KEY = "\${{ secrets.OPERATOR_PRIVATE_KEY }}"; CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}"; diff --git a/modules/devenv/integrations/github/release.nix b/modules/devenv/integrations/github/release.nix index a55aff0..485f247 100644 --- a/modules/devenv/integrations/github/release.nix +++ b/modules/devenv/integrations/github/release.nix @@ -36,10 +36,7 @@ in "if" = "(startsWith(github.ref, 'refs/tags/v')) || (github.event_name == 'workflow_dispatch' && startsWith(github.event.inputs.ref_name, 'v'))"; runs-on = "ubuntu-slim"; - permissions = { - contents = "write"; - packages = "write"; - }; + permissions.contents = "write"; steps = [ { continue-on-error = true;