fix: add contents write permission and force tag updates

[shenxianpeng]

closes #318

Summary by CodeRabbit

• Chores
  • Streamlined the release workflow to use a single atomic rolling-tag update, improving reliability and reducing publish failures.
  • Rolling release tags are now consistently updated automatically, reducing manual cleanup and producing more predictable release artifacts.
  • Updated workflow permissions to support automated publishing.
  • Releases should be faster and less error-prone with no impact on app functionality or user experience.

[Copilot]

Pull Request Overview

This PR fixes GitHub workflow permissions and improves the tag update process by adding necessary write permissions and using force operations instead of delete-and-recreate operations for Git tags.

• Adds contents: write permission to enable the workflow to write to the repository
• Simplifies tag update operations by using force flags instead of explicit delete operations

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Walkthrough

Release workflow simplified: added top-level contents: write permission and consolidated tag update steps into a single "Update rolling tag" step that computes MAJOR_VERSION from the latest tag, force-annotates the chosen tag, and forces it to the origin (default input tag remains v2).

Changes

Cohort / File(s)	Summary
Release workflow .github/workflows/release.yml	Added top-level permissions: contents: write. Replaced per-path conditional tag-delete/create flows with a single "Update rolling tag" step that computes MAJOR_VERSION via `git tag --list --sort=-v:refname

Sequence Diagram(s)

sequenceDiagram
    participant Runner as GitHub Actions Runner
    participant Local as local Git repo
    participant Remote as origin (remote)

    Note over Runner: Determine tag to update
    Runner->>Local: git tag --list --sort=-v:refname
    Runner->>Local: head -n1 | cut -d. -f1  => MAJOR_VERSION

    alt inputs.tag provided
        Runner->>Local: tag = inputs.tag
    else
        Runner->>Local: tag = MAJOR_VERSION
    end

    Note over Runner,Local: Force-annotate/tag locally
    Runner->>Local: git tag --force --annotate <tag> -m "Retag <tag>"

    Note over Runner,Remote: Force-push tag to origin
    Runner->>Remote: git push origin <tag> --force
    Note over Remote: rolling tag updated

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Ensure release workflow has required workflows permission to allow updating .github/workflows/release.yml (#318)	❌	The PR adds contents: write but does not add workflows permission required for updating workflow files.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Consolidated tag update flow to a single forced retag step (.github/workflows/release.yml)	This change alters tagging strategy and replaces delete/recreate logic but is unrelated to the linked issue's objective of adding workflows permission.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch shenxianpeng-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

34-42: Tighten conditions to avoid ambiguity across events.

Guard steps by event type to prevent empty/undefined inputs from surprising behavior on release vs. manual runs.

Apply:

-    - name: Update tag with parameter
-      if: github.event.inputs.tag != ''
+    - name: Update tag with parameter
+      if: ${{ github.event_name == 'workflow_dispatch' && inputs.tag != '' }}

-    - name: Update rolling tag
-      if: github.event.inputs.tag == ''
+    - name: Update rolling tag
+      if: ${{ github.event_name == 'release' && github.event.action == 'released' }}

Rationale: make the intent explicit—manual dispatch uses the provided tag; release events advance the rolling v2 tag. If you still want dispatch-with-empty-tag to fall back to v2, keep the second condition OR add a third step for that case.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ca33540 and 54e0f13.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

🔇 Additional comments (3)

.github/workflows/release.yml (3)

36-38: LGTM: safer, simpler forced retag.

Replacing delete/recreate with git tag -fa + git push --force is correct and avoids transient missing-tag windows.

---

41-42: LGTM: rolling tag update is consistent with the parameterized step.

The forced update for the rolling v2 tag matches the new approach and should behave deterministically.

---

18-20: Grant the GitHub App “workflows” permission in Settings (cannot be set in the workflow file)

The permissions: contents: write line only elevates the GITHUB_TOKEN’s access to repository contents (e.g. pushing tags) and does not grant any rights to create or modify workflow YAML files. GitHub Apps must have their Workflows permission granted at the App-level or repository settings (or you must use a PAT scoped to workflow) to avoid the error:

refusing to allow a GitHub App to create or update workflow .github/workflows/... without workflows permission

Key points:

• The permissions: block in a workflow supports only the built-in token scopes (contents, checks, issues, deployments, etc.) and does not include a workflows key.
• To resolve the error, navigate to your repository’s Settings → Actions → General → Workflow permissions, and grant the GitHub Actions App “Read and write permissions” for Workflows.
• Alternatively, replace GITHUB_TOKEN with a PAT that has the workflow scope.

Let me know if you’d like a short maintainer note or sample instructions on how to configure that setting.

[2bndy5]

This seems fine. Although it is just a temp patch.

1. I personally prefer using the long arg name for passersby. But I already know that -fa means --force --annotate and -m is a pretty commonly used.
2. The 2 steps could be consolidated using ${{ inputs.tag || 'v2' }}. But that does not account for if/when the major version is bumped v3. It might be better to extract the major version from the most recent fully-qualified version (not vX but vX.Y.Z)...

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

33-39: Fix rolling-tag step to use shell fallback, fetch tags, and tag the release commit

• Fetch tags and enable strict shell mode (set -euo pipefail) to ensure tags are available and fail-fast (actions/checkout defaults to depth = 1 and fetch-tags: false) (github.com).
• Perform the fallback in shell (TAG_INPUT="${{ inputs.tag }}" and TAG="${TAG_INPUT:-$MAJOR_VERSION}") instead of mixing Actions expressions with shell variables ($MAJOR_VERSION won’t expand inside ${{ }}) (docs.github.com).
• Use GITHUB_SHA (last commit in the tagged release) as the target SHA when retagging (GITHUB_SHA is set to the commit of the release event) (docs.github.com).

Apply this diff in the run block:

-        # Get the major version from the latest tag
-        MAJOR_VERSION=`git tag --list --sort=-v:refname | head -n1 | cut -d. -f1`
-        git tag --force --annotate ${{ inputs.tag || '$MAJOR_VERSION' }} --message 'Retag ${{ inputs.tag || '$MAJOR_VERSION' }}'
-        git push origin ${{ inputs.tag || '$MAJOR_VERSION' }} --force
+        set -euo pipefail
+        # Ensure tags are available
+        git fetch --tags --force
+        # Determine latest major (expects tags like v2.3.4; falls back to whole tag if no dot)
+        LATEST_TAG="$(git tag --list 'v[0-9]*' --sort=-v:refname | head -n1 || true)"
+        MAJOR_VERSION="${LATEST_TAG%%.*}"
+        TAG_INPUT="${{ inputs.tag }}"
+        TAG="${TAG_INPUT:-$MAJOR_VERSION}"
+        if [ -z "${TAG}" ]; then
+          echo "No tags found and no tag input provided"; exit 1
+        fi
+        # Point rolling tag at the released commit when available, else current HEAD
+        TARGET_SHA="${GITHUB_SHA:-$(git rev-parse HEAD)}"
+        git tag --force --annotate "${TAG}" "${TARGET_SHA}" --message "Retag ${TAG}"
+        git push origin "refs/tags/${TAG}" --force

Optionally set fetch-depth: 0 and fetch-tags: true on actions/checkout (github.com).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 54e0f13 and c84b4d4.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

[2bndy5]

Much nicer! 🚀