Skip to content

ci: grant release-please the workflows scope for self-pin rewrites#337

Merged
botantler-1[bot] merged 1 commit into
mainfrom
claude/actions-release-extrafiles
Jun 24, 2026
Merged

ci: grant release-please the workflows scope for self-pin rewrites#337
botantler-1[bot] merged 1 commit into
mainfrom
claude/actions-release-extrafiles

Conversation

@devantler

@devantler devantler commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Problem — releases were wedged on main

The 🎉 Release workflow failed on every push since #314 (feat!: merge reusable-workflows into the actions repo) with the opaque release-please failed: Error adding to tree. No GitHub release/tag could be cut.

Root cause

release-please rewrites the # x-release-please-version self-pins listed in extra-files. Five of those targets live under .github/workflows/. The 🎉 Release workflow mints a botantler-1 App token that requested only contents / pull-requests / issuesnot workflows — so writing any file under .github/workflows/ returned 403 Resource not accessible by integration, which release-please surfaces as the opaque "Error adding to tree" (release-please-action#938). feat! (#314) was simply the first releasable commit to actually exercise the workflow-file rewrite.

Fix

The botantler-1 App holds the Workflows repository permission (read+write), so request it on the token:

           permission-contents: write
           permission-pull-requests: write
           permission-issues: write
+          permission-workflows: write

This preserves the documented convention that release-please owns the first-party self-pins (no change to release-please-config.json), rather than dropping the workflow files from extra-files.

Validation

  • actionlint clean on active-release.yaml; net diff is the single permission-workflows: write line (+ explanatory comment).
  • The PR's own [Test] Create Release - Dry Run / Release check exercises release-please against this config.

Net diff: +3 lines in .github/workflows/active-release.yaml, nothing else.

@github-code-quality

github-code-quality Bot commented Jun 24, 2026

Copy link
Copy Markdown

Code Coverage Overview

Languages: Go, C#

Go / code-coverage/test

The overall coverage remains at 50%, unchanged from the branch.

C# / code-coverage/dotnet

The overall coverage remains at 100%, unchanged from the branch.


Updated June 24, 2026 18:29 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ COPYPASTE jscpd yes no no 2.04s
✅ GO golangci-lint yes yes no no 20.37s
✅ GO revive 2 0 0 0.26s
✅ REPOSITORY checkov yes no no 26.6s
✅ REPOSITORY gitleaks yes no no 0.16s
✅ REPOSITORY git_diff yes no no 0.05s
✅ REPOSITORY grype yes no no 52.16s
✅ REPOSITORY osv-scanner yes no no 0.35s
✅ REPOSITORY secretlint yes no no 1.67s
✅ REPOSITORY syft yes no no 2.36s
✅ REPOSITORY trivy yes no no 14.94s
✅ REPOSITORY trivy-sbom yes no no 0.28s
✅ REPOSITORY trufflehog yes no no 4.66s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters COPYPASTE_JSCPD,GO_GOLANGCI_LINT,GO_REVIVE,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

The 🎉 Release workflow rewrites the x-release-please-version self-pins listed
in release-please extra-files; five of those targets live under
.github/workflows/. The botantler-1 App token requested only contents/
pull-requests/issues, so writing a workflow file was rejected (403, surfaced by
release-please as the opaque "Error adding to tree") — wedging the release
pipeline on every releasable commit since #314.

The botantler-1 App holds the Workflows repository permission (read+write), so
request it on the token (permission-workflows: write). This preserves the
documented convention that release-please owns the first-party self-pins,
rather than dropping the workflow files from extra-files.
@devantler devantler force-pushed the claude/actions-release-extrafiles branch from c825818 to eb26496 Compare June 24, 2026 18:28
@devantler devantler changed the title ci: drop workflow-file self-pins from release-please extra-files ci: grant release-please the workflows scope for self-pin rewrites Jun 24, 2026
@devantler devantler marked this pull request as ready for review June 24, 2026 18:31
@botantler-1 botantler-1 Bot enabled auto-merge (squash) June 24, 2026 18:31
@botantler-1 botantler-1 Bot merged commit ea68e2b into main Jun 24, 2026
100 checks passed
@botantler-1 botantler-1 Bot deleted the claude/actions-release-extrafiles branch June 24, 2026 18:31
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jun 24, 2026
@botantler-1 botantler-1 Bot mentioned this pull request Jun 24, 2026
@botantler-1 botantler-1 Bot mentioned this pull request Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant