Skip to content

ci: add permissions to release-sdk caller job#32

Merged
jsonbailey merged 1 commit into
mainfrom
devin/1778774610-fix-release-please-permissions
May 14, 2026
Merged

ci: add permissions to release-sdk caller job#32
jsonbailey merged 1 commit into
mainfrom
devin/1778774610-fix-release-please-permissions

Conversation

@kinyoklion
Copy link
Copy Markdown
Member

@kinyoklion kinyoklion commented May 14, 2026
edited by cursor Bot
Loading

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

Fixes Release Please startup_failure that has been occurring since the org added explicit permissions to release-please workflows.

Describe the solution you've provided

Adds explicit permissions to the release-sdk caller job that invokes publish.yml as a reusable workflow. Without these permissions, the reusable workflow's permission declarations exceed the restricted defaults, causing GitHub to reject the workflow at startup.

Describe alternatives you've considered

Moving publish steps inline (as done in ruby-server-sdk) would also fix this, but is a larger change.

Additional context

Same fix pattern applied in dotnet-core (PR #241) on April 8 which resolved the identical startup_failure there.

Link to Devin session: https://app.devin.ai/sessions/54e32482848742c19ebf9c374efdc833
Requested by: @kinyoklion

Note

Low Risk
Low risk workflow-only change; it only expands the job token permissions needed for the release publish step and does not affect application code.

Overview
Fixes Release Please workflow startup_failure by adding explicit permissions to the release-sdk job that calls the reusable publish.yml workflow.

The caller job now grants id-token: write, contents: write, and attestations: write so the reusable workflow’s required permissions are not rejected by GitHub’s default restricted token.

Reviewed by Cursor Bugbot for commit b146f92. Bugbot is set up for automated code reviews on this repo. Configure here.

@devin-ai-integration @kinyoklion
ci: add permissions to release-sdk caller job
b146f92 
The release-please workflow fails with startup_failure because the
caller job invoking publish.yml does not declare explicit permissions.
This causes the reusable workflow's permission requirements to exceed
the restricted defaults.

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented May 14, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@jsonbailey jsonbailey marked this pull request as ready for review May 14, 2026 16:59
@jsonbailey jsonbailey requested a review from a team as a code owner May 14, 2026 16:59
@jsonbailey jsonbailey merged commit ce83531 into main May 14, 2026
12 checks passed
@jsonbailey jsonbailey deleted the devin/1778774610-fix-release-please-permissions branch May 14, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsonbailey jsonbailey jsonbailey approved these changes

Assignees

@kinyoklion kinyoklion

Labels

devin-pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kinyoklion @jsonbailey