Commit 4949b27
authored
chore: add explicit permissions to release-please workflow (#380)
**Requirements**
- [x] I have added test coverage for new or changed functionality
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions
No test changes needed — this is a CI workflow configuration change
only.
**Related issues**
N/A — identified during an audit of all non-archived
`launchdarkly-sdk`-tagged repositories for missing release-please
workflow permissions.
**Describe the solution you've provided**
Adds explicit `contents: write` and `pull-requests: write` permissions
to the `release-please` job. These are required for the release-please
action to:
- Create and update release PRs (`pull-requests: write`)
- Create GitHub releases and push tags (`contents: write`)
Without explicit permissions, the job relies on the repository/org
default `GITHUB_TOKEN` permissions, which may be insufficient if
defaults are set to read-only.
**Describe alternatives you've considered**
Setting permissions at the workflow level (top-level `permissions:` key)
was considered, but job-level scoping follows the principle of least
privilege and avoids granting unnecessary access to other jobs (e.g.,
`publish-package`).
**Additional context**
This is part of a batch update across all `launchdarkly-sdk`-tagged
repos whose release-please workflows were missing explicit permissions
on their default branch.
**Human review checklist**
- [ ] Adding an explicit job-level `permissions` block *replaces*
inherited defaults — the token will **only** have `contents: write`,
`pull-requests: write`, and the always-granted `metadata: read`. Confirm
the `release-please` job does not need any additional permissions (e.g.,
`id-token: write`). Other jobs like `publish-package` already have their
own `permissions` blocks and are unaffected.
Link to Devin session:
https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk workflow-only change that grants `release-please` the minimal
write permissions needed to create/update release PRs and tags; main
risk is mis-scoping permissions if the job requires additional access.
>
> **Overview**
> Adds an explicit job-level `permissions` block to
`.github/workflows/release-please.yml` for the `release-please` job,
granting `contents: write` and `pull-requests: write`.
>
> This removes reliance on repository/org default `GITHUB_TOKEN`
permissions so `googleapis/release-please-action@v4` can reliably
create/update release PRs and create releases/tags.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d005966. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->1 file changed
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
22 | 25 | | |
23 | 26 | | |
24 | 27 | | |
| |||
0 commit comments