Skip to content

fix: grant full union of permissions for nested release jobs#212

Merged
jmeridth merged 1 commit into
mainfrom
fix/release-workflow-permissions
May 11, 2026
Merged

fix: grant full union of permissions for nested release jobs#212
jmeridth merged 1 commit into
mainfrom
fix/release-workflow-permissions

Conversation

@jmeridth

@jmeridth jmeridth commented May 11, 2026

Copy link
Copy Markdown
Member

What

Expand the release job's permissions: block to grant id-token: write, attestations: write, packages: write, and discussions: write in addition to the existing two. The block now covers the union of permissions declared by every job in the called ospo-reusable-workflows/release.yaml@v1.0.1.

Why

The merge of #211 left main on the consolidated workflow with only contents: write + pull-requests: read. The pull_request_target: closed Release run that fired on merge failed with startup_failure:

The nested job 'release_image' is requesting 'attestations: write, packages: write, id-token: write', but is only allowed 'attestations: none, packages: none, id-token: none'.

GitHub validates each nested job's permissions: against the caller's grant at workflow startup, before evaluating that job's if: — except when the gate folds statically to false. The gates on release_goreleaser (inputs.goreleaser-config-path != '') and release_image (inputs.image-name != '') are string comparisons the validator can't fold, so their perms are checked even though both jobs would have been skipped at runtime here (this repo sets neither input).

Notes

  • release_discussion's gate (inputs.create-discussion && ...) DOES fold statically (boolean default false), so the validator skips it today and discussions: write is not technically required. Granted anyway as a defensive measure in case the upstream rearranges that if: later — it costs nothing today and prevents a future silent regression.
  • This PR carries the release label so the now-fixed workflow fires on merge and cuts the release that ci: adopt consolidated ospo-reusable-workflows release.yaml #211 never produced.
  • Reviewers: please watch the Release run on the merge commit — create_release + publish_release should succeed, and release_goreleaser / release_image / release_discussion should appear as skipped.

Testing

  • make test — passes (command, config, internal/install, internal/manifest, internal/registry, pluginkit, utils all green).
  • golangci-lint run ./... — 0 issues.
  • The fix itself is the workflow file change. Real validation is the post-merge Release run cutting a release; no local dry-run is possible for pull_request_target chain.

@jmeridth
fix: grant full union of permissions for nested release jobs
f683963 
## What

Expand the `release` job's `permissions:` block to grant `id-token: write`, `attestations: write`, `packages: write`, and `discussions: write` in addition to the existing two. The block now covers the union of permissions declared by every job in the called `ospo-reusable-workflows/release.yaml@v1.0.1`.

## Why

The merge of #211 left main on the consolidated workflow with only `contents: write` + `pull-requests: read`. The `pull_request_target: closed` Release run that fired on merge failed with `startup_failure`: "The nested job 'release_image' is requesting 'attestations: write, packages: write, id-token: write', but is only allowed ...". GitHub validates each nested job's `permissions:` against the caller's grant at workflow startup, **before** evaluating that job's `if:` — except when the gate folds statically to `false`. The gates on `release_goreleaser` (`inputs.goreleaser-config-path != ''`) and `release_image` (`inputs.image-name != ''`) are string comparisons the validator can't fold, so their perms are checked even though both jobs would have been skipped at runtime here (this repo sets neither input).

## Notes

- `release_discussion`'s gate (`inputs.create-discussion && ...`) DOES fold statically (boolean default `false`), so the validator skips it today and `discussions: write` is not technically required. Granting it anyway as a defensive measure in case the upstream rearranges that `if:` later.
- This PR carries the `release` label so the now-fixed workflow fires on merge and cuts the release that #211 never produced. Worth confirming the `Release` run on the merge commit completes (create_release + publish_release succeed, release_goreleaser / release_image / release_discussion skipped).

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth self-assigned this May 11, 2026
@github-actions github-actions Bot added the fix label May 11, 2026
@jmeridth jmeridth marked this pull request as ready for review May 11, 2026 04:13
@jmeridth jmeridth requested a review from a team as a code owner May 11, 2026 04:13
@jmeridth jmeridth merged commit 608e21e into main May 11, 2026
9 checks passed
@jmeridth jmeridth deleted the fix/release-workflow-permissions branch May 11, 2026 04:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jmeridth jmeridth

Labels

fix release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmeridth