Skip to content

Commit 4949b27

Browse files
authored
chore: add explicit permissions to release-please workflow (#380)
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions No test changes needed — this is a CI workflow configuration change only. **Related issues** N/A — identified during an audit of all non-archived `launchdarkly-sdk`-tagged repositories for missing release-please workflow permissions. **Describe the solution you've provided** Adds explicit `contents: write` and `pull-requests: write` permissions to the `release-please` job. These are required for the release-please action to: - Create and update release PRs (`pull-requests: write`) - Create GitHub releases and push tags (`contents: write`) Without explicit permissions, the job relies on the repository/org default `GITHUB_TOKEN` permissions, which may be insufficient if defaults are set to read-only. **Describe alternatives you've considered** Setting permissions at the workflow level (top-level `permissions:` key) was considered, but job-level scoping follows the principle of least privilege and avoids granting unnecessary access to other jobs (e.g., `publish-package`). **Additional context** This is part of a batch update across all `launchdarkly-sdk`-tagged repos whose release-please workflows were missing explicit permissions on their default branch. **Human review checklist** - [ ] Adding an explicit job-level `permissions` block *replaces* inherited defaults — the token will **only** have `contents: write`, `pull-requests: write`, and the always-granted `metadata: read`. Confirm the `release-please` job does not need any additional permissions (e.g., `id-token: write`). Other jobs like `publish-package` already have their own `permissions` blocks and are unaffected. Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1 Requested by: @kinyoklion <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk workflow-only change that grants `release-please` the minimal write permissions needed to create/update release PRs and tags; main risk is mis-scoping permissions if the job requires additional access. > > **Overview** > Adds an explicit job-level `permissions` block to `.github/workflows/release-please.yml` for the `release-please` job, granting `contents: write` and `pull-requests: write`. > > This removes reliance on repository/org default `GITHUB_TOKEN` permissions so `googleapis/release-please-action@v4` can reliably create/update release PRs and create releases/tags. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d005966. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
2 parents 58f1f41 + d005966 commit 4949b27

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/release-please.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ jobs:
1919
release-please:
2020
if: github.event_name == 'push'
2121
runs-on: ubuntu-latest
22+
permissions:
23+
contents: write
24+
pull-requests: write
2225
outputs:
2326
release_created: ${{ steps.release.outputs.release_created }}
2427
steps:

0 commit comments

Comments
 (0)