From 9421c06c8d28a26a601e1cc1a832ab2ef1ea0306 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Mon, 6 Oct 2025 06:27:37 +0000
Subject: [PATCH 1/2] ci: remove upload documents from matrix job

---
 .github/workflows/release-build.yml | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 3462f92c..934d4632 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -90,16 +90,6 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           REPOSITORY_OWNER: ${{ github.repository_owner }}
           REPOSITORY_NAME: ${{ github.event.repository.name }}
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
-        with:
-          pattern: documents
-      - name: Upload documents to release
-        run: |
-          set -Eeuo pipefail
-          gh release upload "${REF_NAME}" ./*.pdf
-        env:
-          GH_REPO: ${{ github.repository }}
-          GH_TOKEN: ${{ github.token }}
       - name: Update package details in release
         run: |
           set -Eeuo pipefail
@@ -111,3 +101,19 @@ jobs:
           DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
+  upload-documents:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    needs: [build-push-test]
+    steps:
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          pattern: documents
+      - name: Upload documents to release
+        run: |
+          set -Eeuo pipefail
+          gh release upload "${REF_NAME}" ./*.pdf
+        env:
+          GH_REPO: ${{ github.repository }}
+          GH_TOKEN: ${{ github.token }}

From a4b4e883db728e2e8db65fbe02b3dd7e49b9e6c3 Mon Sep 17 00:00:00 2001
From: Ron <45816308+rjaegers@users.noreply.github.com>
Date: Mon, 6 Oct 2025 11:25:54 +0000
Subject: [PATCH 2/2] chore: fix zizmor findings

---
 .github/workflows/release-build.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 934d4632..1bdc5de6 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -33,6 +33,9 @@ jobs:
   apply-release-notes-template:
     runs-on: ubuntu-latest
     permissions:
+      # `contents: write` is needed to modify a release.
+      # Please note that this is an overly broad scope, but GitHub does not
+      # currently provide a more fine-grained permission for release modification.
       contents: write
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -59,6 +62,9 @@ jobs:
         flavor: [cpp, rust]
     runs-on: ubuntu-latest
     permissions:
+      # `contents: write` is needed to modify a release.
+      # Please note that this is an overly broad scope, but GitHub does not
+      # currently provide a more fine-grained permission for release modification.
       contents: write
     needs: [build-push-test, apply-release-notes-template]
     env:
@@ -104,6 +110,9 @@ jobs:
   upload-documents:
     runs-on: ubuntu-latest
     permissions:
+      # `contents: write` is needed to modify a release.
+      # Please note that this is an overly broad scope, but GitHub does not
+      # currently provide a more fine-grained permission for release modification.
       contents: write
     needs: [build-push-test]
     steps: