Skip to content

Commit 396fec1

Browse files
authored
Fix release note generation by adding missing permissions (#8484)
## Summary of changes Adds `pull_requests` permission to draft-release `dd-octo-sts` chainguard file ## Reason for change The release note generation has been silently failing since we switched to STS: ``` Fetching milestones... Found vNext-v3 milestone: 216 Fetching previous release details Fetching Issues assigned to vNext-v3 Found 0 issues, building release notes. ``` I think that's because we're missing the `pull_requests` permission in the dd-octo-sts file, and the issues endpoint we're using silently filters this out. This also seems to _only_ apply to _app_ permissions, which is what dd-octo-sts uses, not to fine-grained tokens, which is why we couldn't replicate it locally. ## Implementation details - Added `pull_requests: read` to the draft release STS definition. - Removed permissions for the "ambient" GITHUB_TOKEN, as these aren't actually used, other than for the OIDC exchange, and just add confusion ## Test coverage Nope, we just have to wait for the next release, and hope nothing breaks 😬
1 parent ac962de commit 396fec1

4 files changed

Lines changed: 13 additions & 15 deletions

File tree

.github/chainguard/self.github.create-draft-release.sts.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,6 @@ claim_pattern:
1414
permissions:
1515
contents: write
1616
issues: write
17+
pull_requests: read
1718
statuses: read
1819
actions: read

.github/workflows/_create_draft_release.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -40,12 +40,11 @@ jobs:
4040
create_draft_release:
4141
runs-on: ubuntu-latest
4242
environment: publish-debug-symbols-env
43-
# These permissions need to map to the ones demanded in create_normal_draft_release.yml and create_hotfix_draft_release.yml
43+
# All GitHub API access goes through the dd-octo-sts token; see
44+
# .github/chainguard/self.github.create-draft-release.sts.yaml
4445
permissions:
45-
contents: write # create release
46-
actions: read # read secrets
47-
issues: write # change milestones
48-
id-token: write # enable GitHub OIDC token issuance for this job
46+
contents: read # actions/checkout uses the workflow token to clone
47+
id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
4948
env:
5049
# Have to use external token with explicit workflow permissions because we are creating
5150
# a release from an arbitrary SHA. For "reasons", the built-in token does not _always_

.github/workflows/create_hotfix_draft_release.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,11 @@ jobs:
2828
create_hotfix_draft_release:
2929
needs: check_branch
3030
uses: ./.github/workflows/_create_draft_release.yml
31-
# These permissions need to map to the ones demanded in _create_draft_release.yml
31+
# All GitHub API access in the reusable workflow goes through the dd-octo-sts token; see
32+
# .github/chainguard/self.github.create-draft-release.sts.yaml
3233
permissions:
33-
contents: write # create release
34-
actions: read # read secrets
35-
issues: write # change milestones
36-
id-token: write # enable GitHub OIDC token issuance for this job
34+
contents: read # actions/checkout uses the workflow token to clone
35+
id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
3736
with:
3837
forced_commit_id: ${{ inputs.forced_commit_id }}
3938
ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }}

.github/workflows/create_normal_draft_release.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,11 @@ jobs:
2828
create_normal_draft_release:
2929
needs: check_branch
3030
uses: ./.github/workflows/_create_draft_release.yml
31-
# These permissions need to map to the ones demanded in _create_draft_release.yml
31+
# All GitHub API access in the reusable workflow goes through the dd-octo-sts token; see
32+
# .github/chainguard/self.github.create-draft-release.sts.yaml
3233
permissions:
33-
contents: write # create release
34-
actions: read # read secrets
35-
issues: write # change milestones
36-
id-token: write # enable GitHub OIDC token issuance for this job
34+
contents: read # actions/checkout uses the workflow token to clone
35+
id-token: write # required for dd-octo-sts OIDC and NuGet trusted publishing
3736
with:
3837
forced_commit_id: ${{ inputs.forced_commit_id }}
3938
ignore_gitlab_failures: ${{ inputs.ignore_gitlab_failures }}

0 commit comments

Comments
 (0)