From 73ac2cf96f6d6048792be65c70b3d2dde802cd83 Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Sat, 2 May 2026 22:13:44 +0100
Subject: [PATCH] ci: grant contents:write + drop artifact upload-on-failure

Two follow-ups to 75a68a1 (releases switchover):

1. action-gh-release got 403 "Resource not accessible by integration"
   because default GITHUB_TOKEN has read-only on contents. Added
   workflow-level `permissions: contents: write`.

2. Failure-path artifact upload still hit quota wall. Replaced with
   inline `tail` of build/out/build.log + anaconda program.log
   directly to job log. No artifact upload = no quota.
---
 .github/workflows/build-iso.yml | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index 87b1080..c264234 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -19,6 +19,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write   # needed for action-gh-release to create+update ci-latest
+
 jobs:
   build:
     name: Build live ISO
@@ -188,15 +191,15 @@ jobs:
             build/out/*.iso
             build/out/*.sha256
 
-      - name: Upload build log on failure
+      # Build log on failure: print inline + skip artifact upload to avoid
+      # quota wall. Job log retains everything anyway.
+      - name: Print build log on failure
         if: failure()
-        uses: actions/upload-artifact@v4
-        with:
-          name: veilor-os-buildlog
-          path: |
-            build/out/build.log
-            build/out/build/anaconda/
-          retention-days: 1
+        run: |
+          echo "─── build/out/build.log ───"
+          tail -200 build/out/build.log 2>/dev/null || echo "(no build.log)"
+          echo "─── anaconda program.log ───"
+          find build/out/build/anaconda -name 'program.log' -exec tail -100 {} \; 2>/dev/null || echo "(no anaconda log)"
 
       - name: Attach to release on tag
         if: github.event_name == 'release'