From bb8d8c60c325f9bf1d6b0034bb84631d236f94b0 Mon Sep 17 00:00:00 2001
From: Christopher Horrell <christopher@horrell.ca>
Date: Sun, 31 May 2026 16:18:27 -0400
Subject: [PATCH] ci(workflows): fix permissions for GHCR push in
 update-current-image

The update-current-image workflow was failing to push to GitHub Container
Registry (GHCR) with 'permission_denied: write_package' errors due to missing
packages:write permission. Added explicit job-level permissions following
least privilege principle:

- build job: contents:read + packages:write (for building and pushing images)
- merge job: contents:read + packages:write (for creating multi-arch manifests)
- check_version job: contents:read (for repository access only)
- Removed packages:write from workflow-level permissions (per zizmor audit)
---
 .github/workflows/update-current-image.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml
index fe3c427..bf61e71 100644
--- a/.github/workflows/update-current-image.yml
+++ b/.github/workflows/update-current-image.yml
@@ -24,6 +24,8 @@ permissions:
 jobs:
   check_version:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       NODE_VERSION: ${{ steps.get_version.outputs.NODE_VERSION }}
     steps:
@@ -159,6 +161,7 @@ jobs:
     needs: [check_version, build]
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       packages: write
     env:
       NODE_VERSION: ${{ needs.check_version.outputs.NODE_VERSION }}