ci: add explicit permissions to release-please job

[joker23]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

N/A — CI-only change, no application code or tests affected.

Related issues

• Failing run: https://github.com/launchdarkly/js-core/actions/runs/23549553772/job/68569702804
• Error: release-please failed: Error adding to tree: bde8e57b3c8b189265cdf83da69ee9eb0943451e

Describe the solution you've provided

The release-please job in the release-please.yml workflow was failing because its GITHUB_TOKEN only had Contents: read permission. The job needs contents: write to create git trees/commits and pull-requests: write to update the release PR branch via the GitHub API.

The previous successful run (Mar 24) had full write permissions via the repo/org default, but a subsequent change to the default workflow permissions reduced the token to read-only, breaking this job. Other jobs in the same workflow (e.g., release-common) were unaffected because they already declare explicit permissions.

This PR adds an explicit permissions block to the release-please job, matching the pattern used by the other release jobs.

Describe alternatives you've considered

Reverting the repository/organization default workflow permissions back to "Read and write" — rejected because explicit per-job permissions follow the principle of least privilege and are more resilient to future settings changes.

Additional context

Human review checklist

• Confirm that contents: write + pull-requests: write are sufficient for release-please-action@v4 (the action docs list these as the required permissions)
• Verify whether the repo/org default workflow permissions change was intentional — if so, other workflows without explicit permissions may also need updating

Link to Devin session: https://app.devin.ai/sessions/cb7dde700084447b9b8c4e3e95de65b4
Requested by: @joker23

---

Note

Medium Risk
Adds contents: write and pull-requests: write to the release-please workflow job, slightly increasing CI token privileges but scoped to the release automation path.

Overview
Fixes failing automated releases by adding an explicit permissions block to the release-please job in .github/workflows/release-please.yml, granting GITHUB_TOKEN contents: write and pull-requests: write so release-please-action can create commits/trees and update the release PR.

^{Written by Cursor Bugbot for commit 676b99d. This will update automatically on new commits. Configure here.}

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

@cursor review

[github-actions]

@launchdarkly/js-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 25661 bytes
Compressed size limit: 29000
Uncompressed size: 126143 bytes

[github-actions]

@launchdarkly/browser size report
This is the brotli compressed size of the ESM build.
Compressed size: 172878 bytes
Compressed size limit: 200000
Uncompressed size: 804511 bytes

[github-actions]

@launchdarkly/js-client-sdk size report
This is the brotli compressed size of the ESM build.
Compressed size: 25042 bytes
Compressed size limit: 34000
Uncompressed size: 87384 bytes

[github-actions]

@launchdarkly/js-client-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 29404 bytes
Compressed size limit: 38000
Uncompressed size: 158016 bytes

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.