fix: grant auto_release.yml the permissions deploy.yml requires#61
Merged
Conversation
Every manual release (App-bot tag push) triggered Auto Release, which failed with "Invalid workflow file" — it calls deploy.yml (needs id-token: write + packages: write) but only granted contents: write. GitHub rejects the file at validation time, BEFORE the actor guard (`if: github.actor != 'vault-cortex-release[bot]'`, PR #53) can skip the jobs — so it failed loudly on v0.15.2–v0.15.5 instead of skipping. Added id-token: write + packages: write so the file validates. Now a bot-pushed tag validates, the actor guard skips validate → deploy → release, and the run completes as a clean skip (no red X). A genuine non-bot tag push (local `git push --tags`) now also deploys as intended.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Every manual release leaves a failed "Auto Release" run (red X on v0.15.2–v0.15.5). This completes the fix PR #53 intended.
Why PR #53 wasn't enough
PR #53 added
if: github.actor != 'vault-cortex-release[bot]'to thevalidatejob so the App-bot's tag push would skip Auto Release. Butauto_release.ymlcallsdeploy.yml(which requiresid-token: write+packages: write) while only grantingcontents: write. GitHub rejects the workflow at file-validation time — before any jobif:is evaluated — so the actor guard never runs and the workflow fails loudly instead of skipping.Fix
Grant
auto_release.ymlthe permissionsdeploy.ymlneeds (matchingmanual_release.yml):Result
manual_release) now: file validates → actor guard skipsvalidate→deploy/releaseskip vianeeds:→ run completes as a clean skip (gray), no red X.git push --tags) now actually deploys + releases as the workflow was meant to.Note
GitHub triggers
on: push tags v*regardless of actor, so a (now-benign, skipped) Auto Release run record will still appear for each manual release — there's no way to suppress the trigger itself. If you'd rather have zero Auto Release runs (e.g., you only ever release via themanual_releaseworkflow button and never push tags locally), the alternative is to removeauto_release.ymlentirely — say the word and I'll do that instead.YAML validated.
Generated by Claude Code