Skip to content

chore: add explicit permissions to release-please workflow#21

Merged
kinyoklion merged 1 commit intomasterfrom
devin/1774468888-add-release-please-permissions
Mar 25, 2026
Merged

chore: add explicit permissions to release-please workflow#21
kinyoklion merged 1 commit intomasterfrom
devin/1774468888-add-release-please-permissions

Conversation

@kinyoklion
Copy link
Copy Markdown
Member

@kinyoklion kinyoklion commented Mar 25, 2026
edited by cursor bot
Loading

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

No test changes needed — this is a CI workflow permissions fix only.

Related issues

N/A

Describe the solution you've provided

Adds explicit contents: write and pull-requests: write permissions to the release-please job. Without these, the job relies on the repository's default GITHUB_TOKEN permissions, which may not include write access for contents and pull requests if the repository or organization defaults have been tightened.

These permissions are required for release-please to:

  • Create and update release PRs (pull-requests: write)
  • Create GitHub releases and push tags (contents: write)

Describe alternatives you've considered

Setting broader permissions at the workflow level (permissions: at the top level), but scoping permissions to the specific job is more secure and follows the principle of least privilege.

Additional context

This is part of an audit of all launchdarkly-sdk-tagged repositories to ensure release-please workflows have the necessary explicit permissions.

Human review checklist

  • Confirm these are the minimum permissions needed for release-please to function
  • Verify no unintended changes to other jobs in the workflow

Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion

Note

Low Risk
Low risk CI-only change that tightens and clarifies required GITHUB_TOKEN scopes; main impact is enabling or restricting release automation if mis-scoped.

Overview
Updates .github/workflows/release-please.yml to explicitly grant the release-please job contents: write and pull-requests: write permissions.

This avoids relying on repository/org default GITHUB_TOKEN permissions and ensures release-please can create/update release PRs and publish tags/releases.

Written by Cursor Bugbot for commit aa98c4f. This will update automatically on new commits. Configure here.

@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration bot commented Mar 25, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@kinyoklion kinyoklion marked this pull request as ready for review March 25, 2026 20:17
@kinyoklion kinyoklion requested a review from a team as a code owner March 25, 2026 20:17
@kinyoklion kinyoklion merged commit 53c84a2 into master Mar 25, 2026
9 checks passed
@kinyoklion kinyoklion deleted the devin/1774468888-add-release-please-permissions branch March 25, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joker23 joker23 joker23 approved these changes

Assignees

@kinyoklion kinyoklion

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kinyoklion @joker23