Skip to content

fix(ci/release): grant contents:write to goreleaser job#361

Merged
shino merged 1 commit into
masterfrom
shino/releaser-permission
May 11, 2026
Merged

fix(ci/release): grant contents:write to goreleaser job#361
shino merged 1 commit into
masterfrom
shino/releaser-permission

Conversation

@shino
Copy link
Copy Markdown
Contributor

@shino shino commented May 11, 2026

Summary

  • The default GITHUB_TOKEN permissions are read-only in many repo/org configurations, which makes the goreleaser action fail at the scm releases step with 403 Resource not accessible by integration when trying to PATCH the GitHub Release. The sibling repo vulsio/go-cpe-dictionary hit exactly this on its v0.9.5 tag push.
  • Deny everything at the workflow level (permissions: {}) and grant contents: write only to the goreleaser job, following the least-privilege principle. Mirrors fix(ci/release): grant contents:write to goreleaser job go-cpe-dictionary#275.

Test plan

  • Push a release tag and confirm the GitHub Release is published successfully by goreleaser.

🤖 Generated with Claude Code

@shino @claude
fix(ci/release): grant contents:write to goreleaser job
cd51481 
The default GITHUB_TOKEN permissions are read-only in many repo/org
configurations, which makes the goreleaser action fail at the "scm
releases" step with `403 Resource not accessible by integration`
when trying to PATCH the GitHub Release.

Deny everything at the workflow level (`permissions: {}`) and grant
`contents: write` only to the goreleaser job, following the
least-privilege principle. Mirrors vulsio/go-cpe-dictionary#275.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@shino shino requested a review from Copilot May 11, 2026 05:52
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adjust GitHub Actions token permissions so the goreleaser job can update/publish GitHub Releases when org/repo defaults make GITHUB_TOKEN read-only.

Changes:

  • Set workflow-level permissions: {} to deny all default token permissions.
  • Grant contents: write only to the goreleaser job to allow release publication/updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shino shino requested a review from MaineK00n May 11, 2026 06:04
MaineK00n
MaineK00n approved these changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@MaineK00n MaineK00n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@shino shino merged commit 646d525 into master May 11, 2026
11 checks passed
@shino shino deleted the shino/releaser-permission branch May 11, 2026 06:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shino @MaineK00n