From 7676102a22668dc28c386c104bcd01ddb27450b8 Mon Sep 17 00:00:00 2001
From: Will Deng <william.deng14@gmail.com>
Date: Fri, 19 Dec 2025 02:39:46 -0500
Subject: [PATCH] Add permissioning to release tag action

---
 .changes/unreleased/Security-20251219-024000.yaml | 3 +++
 .github/workflows/create-release-tag.yaml         | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 .changes/unreleased/Security-20251219-024000.yaml

diff --git a/.changes/unreleased/Security-20251219-024000.yaml b/.changes/unreleased/Security-20251219-024000.yaml
new file mode 100644
index 0000000..3d7f229
--- /dev/null
+++ b/.changes/unreleased/Security-20251219-024000.yaml
@@ -0,0 +1,3 @@
+kind: Security
+body: Add permissioning to release tag action"
+time: 2025-12-19T02:40:00.168373-05:00
diff --git a/.github/workflows/create-release-tag.yaml b/.github/workflows/create-release-tag.yaml
index 17984d4..c0e6188 100644
--- a/.github/workflows/create-release-tag.yaml
+++ b/.github/workflows/create-release-tag.yaml
@@ -10,6 +10,8 @@ on:
 jobs:
   create-release-tag:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     if: "startsWith(github.event.head_commit.message, 'version:')"
     steps:
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955  # actions/checkout@v4