[build] Add permissions for nightly job in release workflow

[titusfortner]

💥 What does this PR do?

Adds contents: write and packages: write permissions to the nightly job in the release workflow.

When the release workflow calls the reusable nightly.yml workflow, the called workflow's permissions are constrained by the caller's permissions. Without explicit permissions on the nightly job, it only inherits contents: read from the top-level workflow permissions, causing the nightly workflow to fail when:

• Creating GitHub releases (requires contents: write)
• Publishing to GitHub Packages (requires packages: write)

🔧 Implementation Notes

Added a job-level permissions block to the nightly job, following the same pattern used by other jobs in the workflow (github-release, docs, update-version).

💡 Additional Considerations

None - this is a straightforward permissions fix.

🔄 Types of changes

• Bug fix (backwards compatible)

[qodo-code-review]

PR Type

Bug fix

---

Description

• Add explicit permissions to nightly job in release workflow

• Grants contents:write and packages:write permissions needed

• Fixes nightly workflow failures when creating releases

• Enables publishing to GitHub Packages during nightly builds

---

File Walkthrough

	Relevant files
Configuration changes	release.yml Add explicit permissions to nightly job                                    .github/workflows/release.yml Added permissions block to nightly job with contents: write and packages: write Ensures nightly workflow inherits required permissions from caller Follows same permission pattern as other jobs in workflow Fixes failures when creating GitHub releases and publishing packages +3/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Excessive GitHub permissions Description: The nightly job is granted contents: write and packages: write (lines 198-200), which increases the blast radius of any compromise or unsafe steps in the reused ./.github/workflows/nightly.yml workflow (e.g., a malicious change could create/modify releases or publish packages), so ensure the called workflow is tightly controlled and that the permissions are the minimum required (consider further scoping such as contents: write only when creating releases and packages: write only when publishing). release.yml [195-201] Referred Code nightly: name: Publish Nightly Packages needs: [parse-tag, update-version] permissions: contents: write packages: write uses: ./.github/workflows/nightly.yml
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Permission change logging: The PR increases the nightly job token permissions (contents: write, packages: write) but the diff does not show any explicit audit logging/traceability controls for this permission change beyond standard Git/GitHub history, which may or may not satisfy required audit trail policies. Referred Code nightly: name: Publish Nightly Packages needs: [parse-tag, update-version] permissions: contents: write packages: write uses: ./.github/workflows/nightly.yml Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	reduce contents write permission Reduce security risk by changing the contents permission from write to read if the job does not need to write to the repository. .github/workflows/release.yml [198-200] permissions: - contents: write + contents: read packages: write Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly raises a security concern about using the high-privilege contents: write permission and prompts the user to verify if the less-privileged read permission is sufficient, adhering to the principle of least privilege.	Medium
More

[Copilot]

Pull request overview

This PR fixes a permissions issue in the release workflow by adding explicit contents: write and packages: write permissions to the nightly job. Without these permissions, the called nightly.yml workflow fails because it inherits only contents: read from the top-level workflow, which is insufficient for creating GitHub releases and publishing packages.

Changes:

• Added job-level permissions block to the nightly job in .github/workflows/release.yml with contents: write and packages: write