Skip to content

fix(ci): grant contents:write to AWS deploy workflow chain#184

Merged
py-zoid merged 1 commit into
masterfrom
fix/deployment-workflow-contents-write
May 15, 2026
Merged

fix(ci): grant contents:write to AWS deploy workflow chain#184
py-zoid merged 1 commit into
masterfrom
fix/deployment-workflow-contents-write

Conversation

@py-zoid
Copy link
Copy Markdown
Contributor

@py-zoid py-zoid commented May 15, 2026

Summary

Hotfix for Static Deployment run 25907576431 which failed at startup on the merge of #183 (changesets-release for @polygonlabs/meta@1.0.0).

PR #182 hardened deployment.yml and build_and_deploy.yml with explicit top-level permissions: { contents: read, id-token: write } to replace the previous secrets: inherit / no-permissions defaults. That's not a superset of what the called shared workflow needs — 0xPolygon/pipelines/.github/workflows/ecs_deploy_docker_taskdef.yaml declares permissions: { id-token: write, contents: write } on its deploy_workflow job — so GitHub Actions failed at workflow startup before any step ran.

Both calling workflows now declare contents: write. id-token: write is unchanged. The token is still scoped down to just the two scopes the AWS deploy actually uses — it's not a regression back to inherit-everything.

Test plan

  • Workflow YAML is still valid (prettier clean).
  • Merge this PR.
  • Re-run the failed deployment (or push an empty commit to master) and verify Static Deployment reaches the deploy job and completes 1.0.0's ECS rollout.

@py-zoid
fix(ci): grant contents:write to AWS deploy workflow chain
f80d272 
The 1.0.0 release fired Static Deployment on master and it failed
with `startup_failure` immediately — the called
`0xPolygon/pipelines/.github/workflows/ecs_deploy_docker_taskdef.yaml`
declares `permissions: { id-token: write, contents: write }` on its
job, but PR #182 hardened the trigger with `contents: read`, which is
not a superset of what the called workflow needs.

Both deployment.yml and build_and_deploy.yml now declare
`contents: write`. id-token: write is unchanged. The token is still
scoped down from `inherit`-everything to just the two scopes the AWS
deploy actually uses.
@py-zoid py-zoid marked this pull request as ready for review May 15, 2026 08:24
@py-zoid py-zoid requested a review from a team as a code owner May 15, 2026 08:24
@py-zoid py-zoid merged commit 79bb63d into master May 15, 2026
8 checks passed
@py-zoid py-zoid deleted the fix/deployment-workflow-contents-write branch May 15, 2026 08:24
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@claude
Copy link
Copy Markdown

claude Bot commented May 15, 2026

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@py-zoid