From 1393c8330228bcf79f15969e00e7da030989b771 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Thu, 21 May 2026 14:31:27 +0200
Subject: [PATCH] ci: restrict update-dist GitHub App token scope

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/update-dist.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/update-dist.yml b/.github/workflows/update-dist.yml
index 0d0f65f..41694c0 100644
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -26,6 +26,8 @@ jobs:
           app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
           private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
           owner: docker
+          repositories: setup-qemu-action
+          permission-contents: write
       -
         name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2