Skip to content

Commit f44aa6d

Browse files
chore: add explicit permissions to release-please workflow (#67)
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions No test changes needed — this is a CI workflow configuration change only. **Related issues** N/A — identified during an audit of all non-archived `launchdarkly-sdk`-tagged repositories for missing release-please workflow permissions. **Describe the solution you've provided** Adds explicit `contents: write` and `pull-requests: write` permissions to the `release-please` job. Without these, the job relies on the repository/org default `GITHUB_TOKEN` permissions, which may be insufficient if defaults are set to read-only. Release-please needs: - `contents: write` — to create GitHub releases and push tags - `pull-requests: write` — to create and update release PRs The `publish-package` job already has its own explicit `permissions` block and is unaffected. **Describe alternatives you've considered** Setting permissions at the workflow level (top-level `permissions:` key) was considered, but job-level scoping follows the principle of least privilege. **Additional context** This is part of a batch update across all `launchdarkly-sdk`-tagged repos whose release-please workflows were missing explicit permissions on their default branch. **Human review checklist** - [ ] Adding an explicit job-level `permissions` block restricts the token to *only* the listed permissions (plus the always-granted `metadata: read`), revoking any previously inherited defaults. Confirm the `release-please` job does not need additional permissions beyond `contents: write` and `pull-requests: write`. Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1 Requested by: @kinyoklion <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk CI configuration change that only adjusts `GITHUB_TOKEN` permissions for the `release-please` job; no application/runtime code paths are affected. > > **Overview** > Adds an explicit job-level `permissions` block to the `release-please` GitHub Actions job, granting `contents: write` and `pull-requests: write` so it can create tags/releases and manage release PRs even when repo/org defaults are read-only. > > No changes to the `publish-package` job logic; it continues to use its existing permissions and dependency on the release output. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9a86fad. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
1 parent a7479a2 commit f44aa6d

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

.github/workflows/release-please.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
jobs:
99
release-please:
1010
runs-on: ubuntu-latest
11+
permissions:
12+
contents: write
13+
pull-requests: write
1114
outputs:
1215
release_created: ${{ steps.release.outputs.release_created }}
1316
steps:

0 commit comments

Comments
 (0)