chore: add explicit permissions to release-please workflow#513
Merged
kinyoklion merged 2 commits intomainfrom Mar 25, 2026
Merged
chore: add explicit permissions to release-please workflow#513kinyoklion merged 2 commits intomainfrom
kinyoklion merged 2 commits intomainfrom
Conversation
Co-Authored-By: rlamb@launchdarkly.com <kingdewman@gmail.com>
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
joker23
approved these changes
Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds explicit
contents: writeandpull-requests: writepermissions to therelease-pleasejob. These are required for the release-please action to create release PRs and GitHub releases. Without explicit permissions, the job relies on the repository/org defaultGITHUB_TOKENpermissions, which may be insufficient if defaults are tightened to read-only.Downstream jobs (release-client, release-server, provenance, etc.) already have their own explicit permissions blocks and are unaffected by this change.
Review & Testing Checklist for Human
release-pleasejob. Adding an explicit job-levelpermissionsblock restricts the token to only the listed permissions, revoking any previously inherited defaults. If the release-please action in this repo needs anything beyondcontentsandpull-requests(e.g.,id-token: write), it will break.release-pleaseworkflow run (triggered by a push tomain) to confirm it still creates/updates release PRs successfully.Notes
This is part of a batch update across all
launchdarkly-sdk-tagged repositories whose release-please workflows were missing explicit permissions on their default branch.Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1
Requested by: @kinyoklion
Note
Low Risk
Low risk configuration change, but it can break releases if
release-pleaserequires additional permissions beyondcontentsandpull-requestsunder restricted tokens.Overview
Hardens the
release-pleaseGitHub Actions workflow by adding an explicit job-levelpermissionsblock forrelease-please(contents: writeandpull-requests: write).This removes reliance on repository/org default
GITHUB_TOKENpermissions and ensures the job can create/update release PRs and GitHub releases when defaults are tightened.Written by Cursor Bugbot for commit 16f70bb. This will update automatically on new commits. Configure here.