chore: scope release workflow permissions

shortov · shortov · commit 9ab8451176ee · 2026-04-14T00:55:46.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,9 +5,6 @@ on:
     types: [published]
   workflow_dispatch:
 
-permissions:
-  contents: write
-
 jobs:
   lint:
     name: PHPCS Lint
@@ -39,8 +36,27 @@ jobs:
       - name: Build ZIP
         run: ./build-zip.sh
 
+      - name: Upload ZIP artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: plugin-zip
+          path: aeo-content-ai-studio.zip
+          if-no-files-found: error
+
+  release_asset:
+    name: Upload ZIP to GitHub Release
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'release' }}
+    needs: build
+    permissions:
+      contents: write
+    steps:
+      - name: Download ZIP artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: plugin-zip
+
       - name: Upload ZIP to release
-        if: ${{ github.event_name == 'release' }}
         uses: softprops/action-gh-release@v2
         with:
           files: aeo-content-ai-studio.zip
@@ -50,7 +66,7 @@ jobs:
     name: Deploy to WordPress.org
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'release' }}
-    needs: [lint, build]
+    needs: [lint, build, release_asset]
     steps:
       - name: Checkout
         uses: actions/checkout@v5
