ci: grant contents:write + drop artifact upload-on-failure

Two follow-ups to b8ddf33 (releases switchover):

1. action-gh-release got 403 "Resource not accessible by integration"
   because default GITHUB_TOKEN has read-only on contents. Added
   workflow-level `permissions: contents: write`.

2. Failure-path artifact upload still hit quota wall. Replaced with
   inline `tail` of build/out/build.log + anaconda program.log
   directly to job log. No artifact upload = no quota.

.github/workflows/build-iso.yml

@@ -19,6 +19,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write   # needed for action-gh-release to create+update ci-latest
+
 jobs:
   build:
     name: Build live ISO
@@ -188,15 +191,15 @@ jobs:
             build/out/*.iso
             build/out/*.sha256
 
-      - name: Upload build log on failure
+      # Build log on failure: print inline + skip artifact upload to avoid
+      # quota wall. Job log retains everything anyway.
+      - name: Print build log on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        run: |
-        with:
+          echo "─── build/out/build.log ───"
-          name: veilor-os-buildlog
+          tail -200 build/out/build.log 2>/dev/null || echo "(no build.log)"
-          path: |
+          echo "─── anaconda program.log ───"
-            build/out/build.log
+          find build/out/build/anaconda -name 'program.log' -exec tail -100 {} \; 2>/dev/null || echo "(no anaconda log)"
-            build/out/build/anaconda/
-          retention-days: 1
 
       - name: Attach to release on tag
         if: github.event_name == 'release'