From 682e5c2caec975066145425428a2037ade389ee3 Mon Sep 17 00:00:00 2001
From: Matt Kane <mkane@cloudflare.com>
Date: Mon, 18 May 2026 20:38:49 +0100
Subject: [PATCH] ci(release): grant contents:read to sync-templates caller job

The release workflow uses default-deny (permissions: {}) at the
workflow level. The sync-templates reusable workflow's job requests
contents: read, but a reusable-workflow job cannot exceed the calling
job's permissions. Without an explicit grant on the caller, the
nested job is denied contents: read and the workflow fails to start.

Grants contents: read on the sync-templates caller job so the nested
job is allowed to request it.
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 83fe039a5..d300fa77e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -88,6 +88,8 @@ jobs:
     if: >-
       needs.release.outputs.published == 'true' ||
       inputs.publish-only
+    permissions:
+      contents: read
     uses: ./.github/workflows/sync-templates.yml
     # Pass only the secrets sync-templates actually uses, not the full set
     # available to this release workflow.