chore: add explicit permissions to release-please workflow#140
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
Missing issues: write permission for release-please action
Medium Severity
Adding an explicit job-level permissions block restricts the GITHUB_TOKEN to only the listed permissions, revoking all inherited defaults. The release-please-action v4 documentation (and upstream PR #1108) indicates that issues: write is also required for the action to create labels on issues and pull requests. Without it, the action may fail when attempting label operations.
There was a problem hiding this comment.
The issues: write permission is only needed if release-please is configured to manage labels on issues/PRs. The standard release-please-action v4 usage (creating release PRs and GitHub releases) only requires contents: write and pull-requests: write. The upstream PR #1108 referenced is about a specific label-management feature that isn't used in this workflow configuration.
If label operations are needed in the future, issues: write can be added at that time.
2 participants
Requirements
No test changes needed — this is a CI workflow configuration change only.
Related issues
N/A — identified during an audit of all non-archived
launchdarkly-sdk-tagged repositories for missing release-please workflow permissions.Describe the solution you've provided
Adds explicit
contents: writeandpull-requests: writepermissions to therelease-pleasejob. These are required for the release-please action to:pull-requests: write)contents: write)Without explicit permissions, the job relies on the repository/org default
GITHUB_TOKENpermissions, which may be insufficient if defaults are set to read-only.Describe alternatives you've considered
Setting permissions at the workflow level (top-level
permissions:key) was considered, but job-level scoping follows the principle of least privilege and avoids granting unnecessary access to other jobs.Additional context
This is part of a batch update across all
launchdarkly-sdk-tagged repos whose release-please workflows were missing explicit permissions on their default branch.Human review checklist
permissionsblock restricts the token to only the listed permissions, revoking any inherited defaults. Confirmcontents: writeandpull-requests: writeare sufficient for therelease-pleasejob (thepublish-packagejob already has its own permissions block and is unaffected).Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion
Note
Low Risk
Low risk CI configuration change that only adjusts
GITHUB_TOKENscopes for therelease-pleasejob; main risk is mis-scoped permissions could prevent release PRs/tags from being created.Overview
Updates
.github/workflows/release-please.ymlto explicitly grant therelease-pleasejobcontents: writeandpull-requests: write, rather than relying on repository/org defaultGITHUB_TOKENpermissions.This ensures the release-please action can create/update release PRs and create releases/tags when default workflow permissions are read-only.
Written by Cursor Bugbot for commit 9053809. This will update automatically on new commits. Configure here.