ci: add explicit permissions to release-please job (#1224)

joker23 · devin-ai-integration[bot] · web-flow · commit 669cc0cb0ee2 · 2026-03-25T12:26:31.000-05:00
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions N/A — CI-only change, no application code or tests affected. **Related issues** - Failing run: https://github.com/launchdarkly/js-core/actions/runs/23549553772/job/68569702804 - Error: `release-please failed: Error adding to tree: bde8e57` **Describe the solution you've provided** The `release-please` job in the `release-please.yml` workflow was failing because its `GITHUB_TOKEN` only had `Contents: read` permission. The job needs `contents: write` to create git trees/commits and `pull-requests: write` to update the release PR branch via the GitHub API. The previous successful run (Mar 24) had full write permissions via the repo/org default, but a subsequent change to the default workflow permissions reduced the token to read-only, breaking this job. Other jobs in the same workflow (e.g., `release-common`) were unaffected because they already declare explicit `permissions`. This PR adds an explicit `permissions` block to the `release-please` job, matching the pattern used by the other release jobs. **Describe alternatives you've considered** Reverting the repository/organization default workflow permissions back to "Read and write" — rejected because explicit per-job permissions follow the principle of least privilege and are more resilient to future settings changes. **Additional context** ### Human review checklist - [ ] Confirm that `contents: write` + `pull-requests: write` are sufficient for `release-please-action@v4` (the [action docs](https://github.com/googleapis/release-please-action#github-credentials) list these as the required permissions) - [ ] Verify whether the repo/org default workflow permissions change was intentional — if so, other workflows without explicit permissions may also need updating Link to Devin session: https://app.devin.ai/sessions/cb7dde700084447b9b8c4e3e95de65b4 Requested by: @joker23  --- > [!NOTE] > **Medium Risk** > Adds `contents: write` and `pull-requests: write` to the `release-please` workflow job, slightly increasing CI token privileges but scoped to the release automation path. > > **Overview** > Fixes failing automated releases by adding an explicit `permissions` block to the `release-please` job in `.github/workflows/release-please.yml`, granting `GITHUB_TOKEN` `contents: write` and `pull-requests: write` so `release-please-action` can create commits/trees and update the release PR. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 676b99d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>   --- <a href="https://app.devin.ai/review/launchdarkly/js-core/pull/1224" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>  Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -77,6 +77,9 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       package-common-released: ${{ steps.release.outputs['packages/shared/common--release_created'] }}
       package-sdk-client-released: ${{ steps.release.outputs['packages/shared/sdk-client--release_created'] }}
