Fixed ci-release.yml startup_failure blocking tag releases

[9larsons]

Summary

The v6.31.0 release workflow failed with startup_failure and never published: run 24573212819. Zero jobs created, no logs. This was ci-release.yml's first real firing since dd17126f21 split release CI into a reusable-workflow call.

Root cause

When a caller job invokes a reusable workflow, its permissions: block cannot exceed the calling workflow's top-level permissions. ci-release.yml had no top-level permissions: block, so the ceiling fell back to the repo default (default_workflow_permissions: write). That default includes contents: write and packages: write, but id-token is never in any default — OIDC must always be granted explicitly.

The ci: job then declared id-token: write, exceeding the workflow ceiling. GitHub's graph validator rejected the run before scheduling anything.

This never showed up on the PR CI for the split commit, because PR CI hits ci.yml directly via pull_request, not through ci-release.yml. The bug was gated on an actual v* tag push.

Fix

Add a top-level permissions: block to ci-release.yml matching the caller job's grant. The ceiling now includes id-token: write, the caller job's grant is ≤ the ceiling, validation passes.

Also grant actions: read at both the workflow and caller-job level. ci.yml's job_setup declares it for nrwl/nx-set-shas. That step is currently gated off on tag runs (if: env.IS_TAG != 'true'), so nothing breaks today if actions: silently downgrades to none through the reusable-workflow cap — but granting it explicitly documents intent and avoids a latent trap if that gate is ever removed.

Test plan

• Next scheduled Friday release completes end-to-end (npm publish + GitHub Release)
• Alternatively, push a throwaway v0.0.0-test tag to a fork to confirm the workflow starts past validation

[coderabbitai]

Walkthrough

The .github/workflows/ci-release.yml workflow file now defines workflow-scoped permissions granting contents: write, packages: write, id-token: write, and actions: read. The ci job-level permissions was also updated to include actions: read alongside contents: write, packages: write, and id-token: write. The reusable workflow reference, secrets inheritance, and job structure remain unchanged. The change adds 11 lines to the file.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the primary fix: adding permissions to ci-release.yml to resolve the startup_failure blocking tag releases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly explains the root cause of the ci-release.yml startup failure, the fix applied, and includes relevant context about the workflow permissions issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-release-id-token-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.72%. Comparing base (d2a1ab8) to head (c6fe52f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #27473      +/-   ##
==========================================
- Coverage   72.72%   72.72%   -0.01%     
==========================================
  Files        1556     1556              
  Lines      125669   125669              
  Branches    15135    15135              
==========================================
- Hits        91389    91387       -2     
- Misses      33326    33327       +1     
- Partials      954      955       +1     

Flag	Coverage Δ
admin-tests	49.73% <ø> (-0.02%)	⬇️
e2e-tests	72.72% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.