chore: add explicit permissions to release-please workflow (#513)

kinyoklion · devin-ai-integration[bot] · web-flow · commit 0edb808a1e43 · 2026-03-25T13:33:12.000-07:00
## Summary Adds explicit `contents: write` and `pull-requests: write` permissions to the `release-please` job. These are required for the release-please action to create release PRs and GitHub releases. Without explicit permissions, the job relies on the repository/org default `GITHUB_TOKEN` permissions, which may be insufficient if defaults are tightened to read-only. Downstream jobs (release-client, release-server, provenance, etc.) already have their own explicit permissions blocks and are unaffected by this change. ## Review & Testing Checklist for Human - [ ] **Verify no other implicit permissions are needed by the `release-please` job.** Adding an explicit job-level `permissions` block restricts the token to *only* the listed permissions, revoking any previously inherited defaults. If the release-please action in this repo needs anything beyond `contents` and `pull-requests` (e.g., `id-token: write`), it will break. - [ ] After merging, monitor the next `release-please` workflow run (triggered by a push to `main`) to confirm it still creates/updates release PRs successfully. ### Notes This is part of a batch update across all `launchdarkly-sdk`-tagged repositories whose release-please workflows were missing explicit permissions on their default branch. Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1 Requested by: @kinyoklion  --- > [!NOTE] > **Low Risk** > Low risk configuration change, but it can break releases if `release-please` requires additional permissions beyond `contents` and `pull-requests` under restricted tokens. > > **Overview** > **Hardens the `release-please` GitHub Actions workflow** by adding an explicit job-level `permissions` block for `release-please` (`contents: write` and `pull-requests: write`). > > This removes reliance on repository/org default `GITHUB_TOKEN` permissions and ensures the job can create/update release PRs and GitHub releases when defaults are tightened. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 16f70bb. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -7,6 +7,9 @@ name: release-please
 jobs:
   release-please:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       package-client-released: ${{ steps.release.outputs['libs/client-sdk--release_created'] }}
       package-client-tag: ${{ steps.release.outputs['libs/client-sdk--tag_name'] }}
