From 5244cbf81dbfb0277eb27702bdc261f37ac35867 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 21 May 2026 14:24:59 +0200
Subject: [PATCH] ci: restrict update-dist GitHub App token scope

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/update-dist.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml
index 1908013..85d22aa 100644
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -26,6 +26,8 @@ jobs:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
           owner: docker
+          repositories: login-action
+          permission-contents: write
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2