fix: add permissions to npm-publish job to allow semantic-release to create GitHub releases

[Copilot]

Problem

The npm-publish job was failing with a 404 error when semantic-release attempted to create a GitHub release:

RequestError [HttpError]: Not Found
status: 404
url: 'https://api.github.com/repos/pelias/spatial/releases'

See the failed job: https://github.com/pelias/spatial/actions/runs/18126994658/job/51584734348

The package was successfully published to npm, but the workflow failed before completing the GitHub release creation step.

Root Cause

GitHub Actions requires explicit permissions declarations at the job level to allow operations like creating releases, even when using a personal access token with the appropriate OAuth scopes. Without these explicit permissions, GitHub Actions denies the operation as a security measure.

The GH_SEMANTIC_RELEASE_TOKEN had the correct OAuth scopes (repo, user:email, workflow, write:repo_hook), but the workflow lacked the job-level permission configuration needed for semantic-release to create releases via the GitHub API.

Solution

Added explicit permissions to the npm-publish job:

permissions:
  contents: write      # Required to create releases and push tags
  issues: write        # Allows commenting on related issues
  pull-requests: write # Allows commenting on related PRs

These permissions enable semantic-release to:

• Create GitHub releases via the REST API
• Push version tags to the repository
• Optionally comment on issues and PRs included in the release

Impact

This is a minimal, surgical fix that only adds 4 lines to the workflow configuration. With this change, future releases on the master branch will successfully create GitHub releases after publishing to npm, completing the full semantic-release workflow.

Original prompt

why did this job fail?

https://github.com/pelias/spatial/actions/runs/18126994658/job/51584734348

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.