From db267ddb8e85dd6b8ecebfa6da4e1fec83ffed60 Mon Sep 17 00:00:00 2001
From: PeterChrz <pc@stampedepress.org>
Date: Tue, 31 Mar 2026 22:53:55 -0400
Subject: [PATCH] fix(ci): add packages:write permission for container registry
 push

The GITHUB_TOKEN auto-generated by Forgejo Actions requires explicit
packages:write scope to authenticate with the Forgejo container registry.
Without this, docker/login-action fails with a 401/403, which caused all
builds to fail within ~30 seconds at the login step.

Also adds contents:read as a best-practice minimal-privilege declaration.
---
 .forgejo/workflows/docker-build.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 0638fd7..93429ab 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4