chore: add explicit permissions to release-please workflow (#58)

kinyoklion · devin-ai-integration[bot] · web-flow · commit 9cb3be102cd9 · 2026-03-25T13:32:21.000-07:00
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions No test changes needed — this is a CI workflow configuration change only. **Related issues** N/A — identified during an audit of all non-archived `launchdarkly-sdk`-tagged repositories for missing release-please workflow permissions. **Describe the solution you've provided** Adds explicit `contents: write` and `pull-requests: write` permissions to the `release-please` job. These are required for the release-please action to: - Create and update release PRs (`pull-requests: write`) - Create GitHub releases and push tags (`contents: write`) Without explicit permissions, the job relies on the repository/org default `GITHUB_TOKEN` permissions, which may be insufficient if defaults are tightened to read-only. **Describe alternatives you've considered** Setting permissions at the workflow level (top-level `permissions:` key) was considered, but job-level scoping follows the principle of least privilege and avoids granting unnecessary access to the downstream `publish-package` job (which already has its own explicit permissions block). **Additional context** This is part of a batch update across all `launchdarkly-sdk`-tagged repositories whose release-please workflows were missing explicit permissions on their default branch. **Human review checklist** - [ ] Adding an explicit job-level `permissions` block restricts the token to *only* the listed permissions (plus `metadata: read`), revoking any previously inherited defaults. Confirm the `release-please` job does not need additional permissions (e.g., `id-token: write`). - [ ] Verify the downstream `publish-package` job is unaffected (it has its own `permissions` block). Link to Devin session: https://app.devin.ai/sessions/a83b6e4f4fa14b96b859cfb50755a2c1 Requested by: @kinyoklion  --- > [!NOTE] > **Low Risk** > Low risk CI change that only scopes `GITHUB_TOKEN` permissions for the `release-please` job; main risk is inadvertently missing a required permission and breaking automated release PR/tag creation. > > **Overview** > Adds an explicit `permissions` block to the `release-please` GitHub Actions job, granting `contents: write` and `pull-requests: write` so the release-please action can create/update release PRs and publish tags/releases even when default token permissions are restricted. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d6558fc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -8,6 +8,9 @@ on:
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
     steps:
