ci: grant issues/PR write to fix semantic-release success step#155
Conversation
The explicit permissions block restricts GITHUB_TOKEN to only the listed scopes. semantic-release's @semantic-release/github success hook comments on released issues/PRs, which needs issues:write and pull-requests:write. Without them the publish succeeds but the job exits 403 (Resource not accessible by integration).
PR Summary by QodoCI: add issues/PR write permissions for semantic-release success hook Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
|
Qodo FixerNo findings are within the configured fix scope. To change which findings are fixed, adjust the setting on your Qodo configuration page. |
cypress-plugin-api
|
||||||||||||||||||||||||||||
| Project |
cypress-plugin-api
|
| Branch Review |
ci/fix-semantic-release-permissions
|
| Run status |
|
| Run duration | 01m 20s |
| Commit |
|
| Committer | Filip Hric |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
|
|
0
|
|
|
0
|
|
|
0
|
|
|
0
|
|
|
91
|
| View all changes introduced in this branch ↗︎ | |
Context
In the run for #154 on `main`, trusted publishing worked end to end — 2.12.0 published to npm with provenance, git tag and GitHub release created. But the job still exited non-zero.
What failed
`@semantic-release/github`'s post-release `success` hook (which comments on the issues/PRs included in a release, e.g. #151) got:
```
HttpError: Resource not accessible by integration
PATCH /repos//issues/151 → 403
x-accepted-github-permissions: issues=write; pull_requests=write
```
Root cause
Adding an explicit `permissions:` block in #154 restricts `GITHUB_TOKEN` to only the listed scopes. We listed `contents` + `id-token` but omitted `issues` / `pull-requests`, so the release commenting was denied.
Fix
Add `issues: write` and `pull-requests: write` to the job's permissions block. No effect on the (already working) OIDC publish path.