From 60785178a968b0e9983a3ef6d6d93bda7e6e36cf Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Fri, 10 Oct 2025 15:16:20 +0200
Subject: [PATCH] chore(ci): fix release (#10886)

# Which Problems Are Solved

The new pipeline did not correctly build the release. Console was not
built into the binary. Also there were some pipeline permission errors.

# How the Problems Are Solved

- add `build-console` as dependency to pack binaries
- streamline permissions and only pass necessary into steps

# Additional Changes

none

# Additional Context

- relates to #10571

(cherry picked from commit e742d649c80d37da4c37e24b92646999461ae754)
---
 .github/workflows/ci.yml      | 6 +++++-
 .github/workflows/pack.yml    | 5 +++++
 .github/workflows/release.yml | 2 ++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d2cf5ed10b6..58b5f65b02a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,11 +18,12 @@ permissions:
   packages: write
   issues: write
   pull-requests: write
-  actions: write
 
 jobs:
   lint_test_build:
     uses: ./.github/workflows/lint_test_build.yml
+    permissions:
+      contents: read
     with:
       node_version: "22"
     secrets:
@@ -31,6 +32,9 @@ jobs:
 
   pack:
     uses: ./.github/workflows/pack.yml
+    permissions:
+      contents: write
+      packages: write
     secrets:
       GCR_JSON_KEY_BASE64: ${{ secrets.GCR_JSON_KEY_BASE64 }}
     if: ${{ github.event_name == 'workflow_dispatch' }}
diff --git a/.github/workflows/pack.yml b/.github/workflows/pack.yml
index 122a8e2bc52..4fdf8bf49cd 100644
--- a/.github/workflows/pack.yml
+++ b/.github/workflows/pack.yml
@@ -34,6 +34,8 @@ env:
 jobs:
   version:
     uses: ./.github/workflows/version.yml
+    permissions:
+      contents: write
     with:
       semantic_version: ${{ inputs.semantic_version }}
       dry_run: true
@@ -43,6 +45,9 @@ jobs:
       group: zitadel-public
     environment: ${{ github.ref_protected == 'true' && 'Protected' || null }}
     needs: version
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ccc3764cc8f..b68fb62a0ab 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,6 +32,8 @@ on:
 jobs:
   version:
     uses: ./.github/workflows/version.yml
+    permissions:
+      contents: write
     with:
       semantic_version: ${{ inputs.semantic_version }}
       dry_run: false