Commit f44aa6d
chore: add explicit permissions to release-please workflow (#67)
**Requirements**
- [x] I have added test coverage for new or changed functionality
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions
No test changes needed — this is a CI workflow configuration change
only.
**Related issues**
N/A — identified during an audit of all non-archived
`launchdarkly-sdk`-tagged repositories for missing release-please
workflow permissions.
**Describe the solution you've provided**
Adds explicit `contents: write` and `pull-requests: write` permissions
to the `release-please` job. Without these, the job relies on the
repository/org default `GITHUB_TOKEN` permissions, which may be
insufficient if defaults are set to read-only.
Release-please needs:
- `contents: write` — to create GitHub releases and push tags
- `pull-requests: write` — to create and update release PRs
The `publish-package` job already has its own explicit `permissions`
block and is unaffected.
**Describe alternatives you've considered**
Setting permissions at the workflow level (top-level `permissions:` key)
was considered, but job-level scoping follows the principle of least
privilege.
**Additional context**
This is part of a batch update across all `launchdarkly-sdk`-tagged
repos whose release-please workflows were missing explicit permissions
on their default branch.
**Human review checklist**
- [ ] Adding an explicit job-level `permissions` block restricts the
token to *only* the listed permissions (plus the always-granted
`metadata: read`), revoking any previously inherited defaults. Confirm
the `release-please` job does not need additional permissions beyond
`contents: write` and `pull-requests: write`.
Link to Devin session:
https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI configuration change that only adjusts `GITHUB_TOKEN`
permissions for the `release-please` job; no application/runtime code
paths are affected.
>
> **Overview**
> Adds an explicit job-level `permissions` block to the `release-please`
GitHub Actions job, granting `contents: write` and `pull-requests:
write` so it can create tags/releases and manage release PRs even when
repo/org defaults are read-only.
>
> No changes to the `publish-package` job logic; it continues to use its
existing permissions and dependency on the release output.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
9a86fad. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>1 parent a7479a2 commit f44aa6d
1 file changed
Lines changed: 3 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
11 | 14 | | |
12 | 15 | | |
13 | 16 | | |
| |||
0 commit comments