From fa308696b493be94f973b41d3f4146ce51bc9482 Mon Sep 17 00:00:00 2001
From: Shantur Rathore <i@shantur.com>
Date: Tue, 6 Jan 2026 20:32:29 +0000
Subject: [PATCH] Allow callers to control workflow permissions

---
 .github/workflows/build-and-upload.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-and-upload.yml b/.github/workflows/build-and-upload.yml
index 33520871..4a24ad6e 100644
--- a/.github/workflows/build-and-upload.yml
+++ b/.github/workflows/build-and-upload.yml
@@ -29,9 +29,8 @@ on:
         default: true
         type: boolean
 
-permissions:
-  id-token: write
-  contents: write
+# Permissions are intentionally omitted here so callers can choose
+# least-privilege (e.g. dev CI uses read-only; releases grant write).
 
 env:
   NODE_VERSION: 20