From 1ebfa58ae3472be3f67d09eca20b386caf65dfb3 Mon Sep 17 00:00:00 2001
From: Ulrich Huber <ulrich.uh.huber@bmw.de>
Date: Thu, 26 Feb 2026 12:59:19 +0100
Subject: [PATCH 1/2] Drop write permissions in coverage workflow

---
 .github/workflows/coverage_report.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/coverage_report.yml b/.github/workflows/coverage_report.yml
index 8e635a53b..2ac716e62 100644
--- a/.github/workflows/coverage_report.yml
+++ b/.github/workflows/coverage_report.yml
@@ -24,8 +24,6 @@ on:
 jobs:
   coverage-report:
     runs-on: ubuntu-24.04
-    permissions:
-      contents: write # required to upload release assets
     outputs:
       artifact-name: ${{ steps.set-artifact-name.outputs.artifact-name }}
 

From 2103bc2e8c614d8c782d615b5be61cbbe71fd4aa Mon Sep 17 00:00:00 2001
From: Ulrich Huber <ulrich.uh.huber@bmw.de>
Date: Thu, 26 Feb 2026 13:11:03 +0100
Subject: [PATCH 2/2] Fixup release on-fail job

Trigger the job at the very end on failure.
---
 .github/workflows/automated_release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/automated_release.yml b/.github/workflows/automated_release.yml
index 92633b1e2..fc9dab9a3 100644
--- a/.github/workflows/automated_release.yml
+++ b/.github/workflows/automated_release.yml
@@ -132,7 +132,7 @@ jobs:
 
   delete-release-on-failure:
     runs-on: ubuntu-24.04
-    needs: create-draft-release
+    needs: finalize-release
     if: ${{ failure() || cancelled() }}
     permissions:
       contents: write