Skip to content

chore: add explicit permissions to release-please workflow#37

Merged
kinyoklion merged 1 commit into
v3from
devin/1774468891-add-release-please-permissions
Mar 25, 2026
Merged

chore: add explicit permissions to release-please workflow#37
kinyoklion merged 1 commit into
v3from
devin/1774468891-add-release-please-permissions

Conversation

@kinyoklion
Copy link
Copy Markdown
Member

@kinyoklion kinyoklion commented Mar 25, 2026
edited by cursor Bot
Loading

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

N/A — this is a CI workflow configuration change only.

Related issues

None.

Describe the solution you've provided

Adds explicit permissions to the release-please job in the GitHub Actions workflow:

permissions:
  contents: write
  pull-requests: write

These permissions are required for the release-please-action to:

  • Create and update release pull requests (pull-requests: write)
  • Create GitHub releases and push tags (contents: write)

Without explicit permissions, the job relies on the repository's default GITHUB_TOKEN permissions, which may be insufficient if the org or repo defaults are set to read-only.

Describe alternatives you've considered

Setting these permissions at the workflow level (top-level permissions key) was considered, but job-level permissions are preferred to follow the principle of least privilege.

Additional context

This is part of an audit of all launchdarkly-sdk-tagged repositories to ensure release-please workflows have the necessary permissions configured explicitly.

Human review checklist

  • Permissions are on the correct job (release-please, not a downstream publish/provenance job)

Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion

Note

Low Risk
Low risk workflow-only change that just scopes GITHUB_TOKEN permissions for release-please; main risk is mis-scoping could prevent release PRs/tags from being created.

Overview
Adds explicit job-level permissions to .github/workflows/release-please.yml so release-please-action can create/update release PRs and publish tags/releases even when repo/org default GITHUB_TOKEN permissions are read-only.

Written by Cursor Bugbot for commit 35d0afd. This will update automatically on new commits. Configure here.

@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented Mar 25, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@kinyoklion kinyoklion marked this pull request as ready for review March 25, 2026 20:18
@kinyoklion kinyoklion requested a review from a team as a code owner March 25, 2026 20:18
@kinyoklion kinyoklion merged commit 5aba2c9 into v3 Mar 25, 2026
14 checks passed
@kinyoklion kinyoklion deleted the devin/1774468891-add-release-please-permissions branch March 25, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joker23 joker23 joker23 approved these changes

Assignees

@kinyoklion kinyoklion

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kinyoklion @joker23