From 8a965625f38a1294300c2463afd8a99f49661201 Mon Sep 17 00:00:00 2001
From: Chad Smith <chad.smith@canonical.com>
Date: Fri, 26 Jun 2026 22:13:01 +0000
Subject: [PATCH] ci: update tag and publish with write perms for git push

Fix ability to push new VERSION tag to upstream upon merge to main.
Limit write permissions to just the tag-release job.
---
 .github/workflows/tag_and_publish.yaml | 5 +++++
 VERSION                                | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/tag_and_publish.yaml b/.github/workflows/tag_and_publish.yaml
index c49d0c86..68255bfe 100644
--- a/.github/workflows/tag_and_publish.yaml
+++ b/.github/workflows/tag_and_publish.yaml
@@ -6,9 +6,14 @@ on:
 
 concurrency: ${{ github.ref }}
 
+permissions:
+  contents: read  # Default: read-only; widen per-job as needed
+
 jobs:
   tag-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # For git push of version tag
     outputs:
       version: ${{ steps.tag-release.outputs.version}}
     steps:
diff --git a/VERSION b/VERSION
index 2f6094b5..2cbcd950 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1!10.18.0
+1!10.18.1