From 5c8015b9147ba2e73c69399dfc497b866c3d9017 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Mar 2026 22:48:35 +0000
Subject: [PATCH 1/2] Initial plan


From 823e8fd1f89179df4ebe7ce1bcf12d0e96f6a27e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Mar 2026 23:06:21 +0000
Subject: [PATCH 2/2] fix: add permissions to sync_actions job in release.md

The sync_actions job calls a reusable workflow (sync-actions.yml) that
requires contents: write and pull-requests: write. Since the compiler
always writes permissions: {} at the top-level of lock files, the
calling job must explicitly grant the required permissions.

Adds permissions: contents: write, pull-requests: write to the
sync_actions job in release.md and recompiles release.lock.yml.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/release.lock.yml | 6 +++++-
 .github/workflows/release.md       | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
index d824c82341..7cf31d0145 100644
--- a/.github/workflows/release.lock.yml
+++ b/.github/workflows/release.lock.yml
@@ -23,7 +23,7 @@
 #
 # Build, test, and release gh-aw extension, then generate and prepend release highlights
 #
-# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"c786595ddce61f885cd01de8a360d660b592fbe50308aca12685f782f573718a"}
+# gh-aw-metadata: {"schema_version":"v2","frontmatter_hash":"2cb0f21ae34ffe6602495148ee30ff8a2a3da4803213b7d294805b71dfa02051"}
 
 name: "Release"
 "on":
@@ -1469,6 +1469,10 @@ jobs:
       - config
       - pre_activation
       - push_tag
+    permissions:
+      contents: write
+      pull-requests: write
+
     uses: github/gh-aw-actions/.github/workflows/sync-actions.yml@main
     with:
       ref: ${{ needs.config.outputs.release_tag }}
diff --git a/.github/workflows/release.md b/.github/workflows/release.md
index a60353d663..abfec8f51e 100644
--- a/.github/workflows/release.md
+++ b/.github/workflows/release.md
@@ -207,6 +207,9 @@ jobs:
     with:
       ref: ${{ needs.config.outputs.release_tag }}
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
 
   release:
     needs: ["pre_activation", "activation", "config", "sync_actions"]