From ca3fefaae875a005993a579f6665b8644f2df1cd Mon Sep 17 00:00:00 2001
From: Ivan <ivan@quad4.io>
Date: Tue, 15 Jul 2025 13:51:32 -0500
Subject: [PATCH] Add workflow permissions

---
 .github/workflows/build.yml   | 87 +++++++++++++++++++++++++++++++++++
 .github/workflows/go-test.yml |  3 ++
 .github/workflows/gosec.yml   |  2 +
 3 files changed, 92 insertions(+)
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..0b494c6
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,87 @@
+name: Go Build Multi-Platform
+
+on:
+  push:
+    branches: [ "main" ]
+    tags:
+      - 'v*'
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+    permissions:
+      contents: write
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin, freebsd]
+        goarch: [amd64, arm64, arm]
+        exclude:
+          - goos: darwin
+            goarch: arm
+
+    runs-on: ubuntu-latest
+
+    outputs:
+      build_complete: ${{ steps.build_step.outcome == 'success' }}
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.24'
+
+    - name: Build
+      id: build_step
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+        GOARM: ${{ matrix.goarch == 'arm' && '6' || '' }}
+      run: |
+        output_name="arcgis-utils-go-${GOOS}-${GOARCH}"
+        if [ "$GOOS" = "windows" ]; then
+          output_name+=".exe"
+        fi
+        go build -v -ldflags="-s -w" -o "${output_name}" ./cmd/arcgis-utils
+        echo "Built: ${output_name}"
+
+    - name: Calculate SHA256 Checksum
+      run: |
+        output_name="arcgis-utils-go-${{ matrix.goos }}-${{ matrix.goarch }}"
+        if [ "${{ matrix.goos }}" = "windows" ]; then
+          output_name+=".exe"
+        fi
+        sha256sum "${output_name}" > "${output_name}.sha256"
+        echo "Calculated SHA256 for ${output_name}"
+
+    - name: Upload Artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: arcgis-utils-go-${{ matrix.goos }}-${{ matrix.goarch }}
+        path: arcgis-utils-go-${{ matrix.goos }}-${{ matrix.goarch }}*
+
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/')
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download All Build Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./release-assets
+
+      - name: List downloaded files (for debugging)
+        run: ls -R ./release-assets
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: ./release-assets/*/*
\ No newline at end of file
diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml
index a80bff6..8b6b11c 100644
--- a/.github/workflows/go-test.yml
+++ b/.github/workflows/go-test.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
index 82d85f3..71a50c1 100644
--- a/.github/workflows/gosec.yml
+++ b/.github/workflows/gosec.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches:
       - main
+permissions:
+  contents: read
 jobs:
   tests:
     runs-on: ubuntu-latest