From 7dadd5f88e039461d8b4456a2f7a6f21264be16d Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <github@sebastianmendel.de>
Date: Tue, 2 Jun 2026 17:31:10 +0200
Subject: [PATCH] ci(go-lib): grant id-token and attestations to release caller
 template

The go-lib release.yml caller granted only `contents: write`, but the
golib-create-release reusable workflow's release job requests
`id-token: write` (cosign keyless) and `attestations: write` (#16). A
called reusable workflow requesting more permissions than the caller
grants fails at startup, so every go-lib repo's release workflow
startup-failed on its first tag since the migration (observed on
netresearch/go-cron v0.15.0).

Mirror the go-app template, which already grants all three.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
---
 templates/go-lib/.github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/go-lib/.github/workflows/release.yml b/templates/go-lib/.github/workflows/release.yml
index 2f8f892..372dd73 100644
--- a/templates/go-lib/.github/workflows/release.yml
+++ b/templates/go-lib/.github/workflows/release.yml
@@ -12,3 +12,5 @@ jobs:
     uses: netresearch/.github/.github/workflows/golib-create-release.yml@main
     permissions:
       contents: write
+      id-token: write
+      attestations: write