Skip to content

ci: grant issues write to release-please for autorelease labels#1821

Merged
ooples merged 2 commits into
masterfrom
ci/release-please-issues-perm
Jul 7, 2026
Merged

ci: grant issues write to release-please for autorelease labels#1821
ooples merged 2 commits into
masterfrom
ci/release-please-issues-perm

Conversation

@ooples

@ooples ooples commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Problem

The Release Please workflow has been failing on every push to master with:

release-please failed: Resource not accessible by personal access token

release-please gets all the way through creating the tree/commit, updating the branch ref, and creating the Release PR (#1814) — then 403s on the labeling step. It applies autorelease: pending / autorelease: tagged to the Release PR via GitHub's Issues API, which needs issues: write. The workflow only granted contents: write + pull-requests: write.

Fix

Add issues: write to the permissions: block so the label management works (and the GITHUB_TOKEN fallback path is fully functional).

Note

The workflow authenticates with AUTOFIX_PAT, and a token's permissions aren't governed by the workflow permissions: block — so the AUTOFIX_PAT fine-grained token also needs Issues: Read and write added for the primary (PAT) path. That's a settings change on the token itself; this PR covers the workflow side. The two autorelease: labels have also been pre-created in the repo.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated release automation permissions so it can manage release labels and complete automated publishing more reliably.

release-please creates and applies the `autorelease: pending` / `autorelease: tagged`
labels through GitHub's Issues API. Without `issues: write` the labeling step 403s
("Resource not accessible ...") after the Release PR is created, failing the whole run.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 7, 2026 12:35
@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
aidotnet_website Ignored Ignored Preview Jul 7, 2026 12:47pm
aidotnet-playground-api Ignored Ignored Preview Jul 7, 2026 12:47pm

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 48 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 844d3115-3ca5-4aea-bef7-89763c1c20d5

📥 Commits

Reviewing files that changed from the base of the PR and between c227253 and 7c91f60.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml

Walkthrough

This change adds an issues: write permission entry to the release-please GitHub Actions workflow configuration, enabling the workflow to create or apply labels via the GitHub Issues API. No job logic or steps were modified.

Changes

Release Workflow Permissions

Layer / File(s) Summary
Workflow permissions update
.github/workflows/release-please.yml
Adds permissions.issues: write to allow the release automation to modify issues/labels via the Issues API.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Poem

A single line, a permission grant,
Labels now bloom where once they can't. 🏷️
No stubs, no TODOs, nothing to fear—
Just one small key turned in the gear. 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the workflow permission change to support autorelease label management.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/release-please-issues-perm

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-please.yml:
- Line 24: The workflow currently grants issues: write at the top level, which
applies to every job in release-please.yml instead of only the job that mutates
labels. Move this permission from the workflow scope into the release-please
job’s permissions block so only that job can call the Issues API. Keep the
existing label-related access intact for the release-please job, and leave other
jobs at the default least-privilege level.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0b68e6b5-3ef5-4815-82ab-b9703b3fbc31

📥 Commits

Reviewing files that changed from the base of the PR and between 29d2ad4 and c227253.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml

Comment thread .github/workflows/release-please.yml Outdated
zizmor flagged workflow-level `issues: write` as overly broad — it applied to
every job (incl. publish). Move it into the release-please job's permissions
block (least-privilege); since a job-level block overrides the workflow default,
contents/pull-requests are re-declared there. The publish job keeps the
workflow-level contents:write it needs for release-asset upload.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ooples ooples merged commit 880c162 into master Jul 7, 2026
10 of 95 checks passed
@ooples ooples deleted the ci/release-please-issues-perm branch July 7, 2026 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants