From 7260f461bba0f96cc052a909763ed475affcc640 Mon Sep 17 00:00:00 2001
From: feder-cr <85809106+feder-cr@users.noreply.github.com>
Date: Tue, 9 Jun 2026 12:29:35 +0200
Subject: [PATCH] ci: verify-assets needs contents:write to read draft releases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

gh release download 404s ("release not found") on a draft tag when the token
is contents:read — GitHub only shows drafts to tokens with push access. The
workflow still only reads assets; the scope bump is purely for draft visibility.
---
 .github/workflows/verify-assets.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/verify-assets.yml b/.github/workflows/verify-assets.yml
index fea5805..cceac70 100644
--- a/.github/workflows/verify-assets.yml
+++ b/.github/workflows/verify-assets.yml
@@ -23,7 +23,11 @@ on:
         required: true
 
 permissions:
-  contents: read
+  # write (not read) is required: GitHub only exposes DRAFT releases to tokens
+  # with push access. With contents:read, `gh release download` on a draft tag
+  # 404s ("release not found"). This workflow only READS assets — the elevated
+  # scope is solely to make draft releases visible to GITHUB_TOKEN.
+  contents: write
 
 jobs:
   drive: