chore: add explicit permissions to release-please workflow#149
chore: add explicit permissions to release-please workflow#149kinyoklion merged 1 commit intomainfrom
Conversation
Co-Authored-By: rlamb@launchdarkly.com <kingdewman@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write | ||
| pull-requests: write |
There was a problem hiding this comment.
Missing issues: write permission for release-please label creation
High Severity
The new explicit permissions block is missing issues: write, which release-please-action v4.4.0 requires to create labels on pull requests when using secrets.GITHUB_TOKEN. Before this change, the job inherited default token permissions (which likely included issues: write). Adding an explicit permissions block restricts the token to only the listed permissions plus metadata: read, so issues: write is now effectively revoked. This can cause the action to fail with "You do not have permission to create labels on this repository," and without proper labels, subsequent release triggers may also break.
There was a problem hiding this comment.
Irrelevant when the label has already been created.
2 participants
Requirements
No test changes needed — this is a CI workflow permissions fix only.
Related issues
N/A — identified during an audit of all non-archived
launchdarkly-sdk-tagged repositories for missing release-please workflow permissions.Describe the solution you've provided
Adds explicit
contents: writeandpull-requests: writepermissions to therelease-pleasejob. These are required for the release-please action to:pull-requests: write)contents: write)Without explicit permissions, the job relies on the repository/org default
GITHUB_TOKENpermissions, which may be insufficient if defaults are tightened to read-only.Downstream release jobs (
release-server-sdk,release-server-sdk-otel, etc.) already have their own explicitpermissionsblocks and are unaffected.Describe alternatives you've considered
Setting permissions at the workflow level (top-level
permissions:key) was considered, but job-level scoping follows the principle of least privilege.Additional context
This is part of a batch fix across all
launchdarkly-sdk-tagged repositories whose release-please workflows were missing explicit permissions.Human review checklist
permissionsblock restricts the token to only the listed permissions (plusmetadata: read). Confirm therelease-please-actionstep does not require any additional permissions (e.g.,id-token: write) in this repo's configuration.Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion
Note
Low Risk
Low risk CI-only change that adjusts GitHub Actions token permissions; main impact is enabling/disabling release automation if mis-scoped.
Overview
Release automation hardening: the
release-pleasejob now explicitly requestscontents: writeandpull-requests: writepermissions in.github/workflows/release-please.yml.This removes reliance on repository/org default
GITHUB_TOKENpermissions and ensures the release-please action can create/update release PRs and create tags/releases.Written by Cursor Bugbot for commit 9c53991. This will update automatically on new commits. Configure here.