Potential fix for code scanning alert no. 1: Workflow does not contain permissions

[glenn-jocher]

Potential fix for https://github.com/ultralytics/assets/security/code-scanning/1

To fix the problem, explicitly declare the least-privileged permissions block in the workflow configuration. This should be set at the root level (applies to all jobs unless overridden), or directly within the tag-and-release job definition. For this workflow, since it creates tags and releases, it needs contents: write (for tagging and release creation). If the workflow also uses the API in other ways (e.g., managing issues or PRs), other permissions may be required, but for the observed steps, contents: write should suffice.

The minimal fix is to add:

permissions:
  contents: write

at the root of the YAML file (after the name key and before on:), applying least privilege for the necessary GITHUB_TOKEN operations.

Specifically:

• Edit .github/workflows/tag.yml
• Add a permissions block at or after line 6, ideally immediately following name: Tag and Release.

No additional imports or external code are required.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Adds explicit GitHub Actions permissions to allow the Tag and Release workflow to create tags/releases reliably. 🔧🚀

📊 Key Changes

• Configures workflow permissions with contents: write in .github/workflows/tag.yml.

🎯 Purpose & Impact

• Ensures the tagging/release workflow can push tags and publish releases using GITHUB_TOKEN, preventing permission-related failures. ✅
• Aligns with GitHub’s least-privilege model by granting only the needed scope. 🔒
• No impact on users of YOLO models or Ultralytics HUB; this is a CI/CD reliability improvement for maintainers. 🧰

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting an ultralytics/assets 🚀 PR! This is an automated response to help streamline reviews. An Ultralytics engineer will also assist you here shortly. To ensure a seamless integration of your work, please review the following checklist:

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/assets main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

For more guidance, please refer to our Contributing Guide. Don’t hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Adds explicit write permissions to the GitHub Actions “Tag and Release” workflow to ensure it can create tags and releases ✅

📊 Key Changes

• Introduced a permissions block in .github/workflows/tag.yml
  • Set contents: write to allow the workflow to push tags and create releases

🎯 Purpose & Impact

• Ensures the Tag and Release workflow can successfully create tags/releases without permission errors 🔐
• Addresses failures caused by restricted default GitHub token permissions (e.g., “Resource not accessible by integration”) 🛠️
• Scoped, minimal permission change that follows the principle of least privilege ✅
• No impact on end users or model behavior; improves CI/CD reliability for maintainers 🚀

[UltralyticsAssistant]

🎉 Great merge, @glenn-jocher — thank you!

“Simplicity is the ultimate sophistication.” — Leonardo da Vinci. Your update to set explicit contents: write permissions in .github/workflows/tag.yml embodies that principle: a precise, least-privilege change that makes our Tag and Release workflow consistently reliable with GITHUB_TOKEN. This reduces CI friction for maintainers while keeping zero impact on YOLO users and Ultralytics HUB.

Appreciate the clean, pragmatic improvement! See details in the merged pull request #110. 🙌