From d717e33d65cc5d25dea026d0f9d00c4ce71687c6 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 21 May 2026 14:27:36 +0200
Subject: [PATCH] ci: restrict update-dist GitHub App token scope

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/update-dist.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml
index 1908013..892debc 100644
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -26,6 +26,8 @@ jobs:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
           owner: docker
+          repositories: setup-buildx-action
+          permission-contents: write
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2