From 940f08596933279445d8e6f60d8deaa21700c46e Mon Sep 17 00:00:00 2001
From: Juan Cernadas <cernadasjuan43@gmail.com>
Date: Tue, 26 May 2026 18:02:21 -0300
Subject: [PATCH] fix(ci): grant packages:write to maven-publish deploy job

Restores GitHub Packages deploys after they started failing with HTTP
403. The deploy job did not declare a `permissions:` block, so it
inherited the org-wide default for GITHUB_TOKEN. When that default does
not include `packages: write`, the maven-deploy step is rejected by
maven.pkg.github.com regardless of the token being valid.

Declaring the permission at the job level makes the workflow
self-sufficient and consistent with release.yml, which already pins its
own permissions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/maven-publish.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/maven-publish.yml b/.github/workflows/maven-publish.yml
index 417915f..d10d8b8 100644
--- a/.github/workflows/maven-publish.yml
+++ b/.github/workflows/maven-publish.yml
@@ -70,6 +70,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     needs: [build, test]
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4