ci: Add top-level permissions to publish-release workflow#9026
Merged
Conversation
Member
|
Hmm. This is a fairly subtle problem. We should have a more explicit way than this to enable dry runs. Making the dry-run contingent on the presence of the npm token was already pretty bad IMO, this is worse. |
Member
Author
Yes, I agree. In hindsight we should've added an explicit |
mcmire
approved these changes
Jun 5, 2026
Contributor
mcmire
left a comment
mcmire
left a comment
There was a problem hiding this comment.
Good to know. Knowing when and where to specify permissions is always confusing to me :/
pull Bot
pushed a commit
to dmrazzy/core
that referenced
this pull request
Jun 5, 2026
## Explanation This is the release candidate for version `1022.0.0`. Blocked by this change: - MetaMask#9026 ## References <!-- Are there any issues that this pull request is tied to? Are there other links that reviewers should consult to understand these changes better? Are there client or consumer pull requests to adopt any breaking changes? For example: * Fixes #12345 * Related to #67890 --> ## Checklist - [ ] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [ ] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Major bump of transaction-controller removes constructor options/hooks and changes messenger requirements, affecting every package that constructs or integrates TransactionController across the monorepo. > > **Overview** > **Monorepo release `1022.0.0`**: bumps the root version from `1021.0.0` and aligns dependents on **`@metamask/transaction-controller` `^67.0.0`** (from `^66.0.1`) across assets, bridge, EIP-5792, gator-permissions, phishing, shield, subscription, user-operation, and related packages, with matching **`yarn.lock`** updates and **Unreleased** changelog notes. > > **`@metamask/transaction-controller` `67.0.0`** is cut in this release (changelog section moved out of Unreleased). Consumers should treat **67** as **breaking**: deprecated constructor options and several hooks/types are removed in favor of required messenger actions (`GasFeeController`, `KeyringController`, `NetworkController`), and **`PendingTransactionTracker` resubmit logic is removed**. > > **`@metamask/transaction-pay-controller` `23.2.0`** is also versioned in this PR (package + changelog compare links); its listed features/changes live in that package’s changelog entry for 23.2.0. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit a9e369c. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
By default, all jobs in a workflow inherit the permissions provided to it in the caller (
main.ymlin this case). This meant thatpublish-release.ymlhadcontents: writeandid-token: writein all jobs, including the dry run job. This made the dry run job think it was an actual run, and try to publish (which failed). By explicitly specifying permissions, jobs will inherit those permissions instead. We do this in the module template too.References
Checklist
Note
Low Risk
CI-only permission scoping for GitHub Actions; no application or runtime behavior changes.
Overview
Adds workflow-level
permissions: contents: readto the reusablepublish-releaseworkflow so jobs no longer inheritcontents: writeandid-token: writefrom the caller inmain.yml.Without this default, the
publish-npm-dry-runjob received publish-level permissions and the npm publish action treated the run as a real release instead of a dry run. Jobs that still need elevated access keep explicit overrides:publish-releasesetscontents: write, andpublish-npmsetscontents: readplusid-token: write.Reviewed by Cursor Bugbot for commit 9cbf2ba. Bugbot is set up for automated code reviews on this repo. Configure here.