Handle release-permission failures in Scheduled Security Build without failing image publish

[Copilot]

Scheduled Security Build was failing in the release step even after images were successfully pushed. The failure was caused by gh release create returning permission errors (HTTP 403 / Resource not accessible by integration) under workflow token constraints.

• Release-step failure handling

  • Wrap gh release create to capture both output and exit code.
  • Treat permission-denied cases as non-fatal warnings so weekly security rebuilds can complete.
  • Preserve hard-fail behavior for all other release-creation errors.

• Permission-denied detection hardening

  • Detect via gh auth-related exit code (4) and permission/403 output patterns.
  • Use explicit boolean flags to keep condition flow readable and maintainable.

• Workflow annotation safety

  • Emit permission failures as ::warning:: annotations.
  • Normalize multiline CLI output to a single line and cap annotation length via a named truncation constant.

GH_RELEASE_OUTPUT=$(gh release create ... 2>&1)
GH_RELEASE_EXIT_CODE=$?

if [ "${GH_RELEASE_EXIT_CODE}" -eq 4 ] || [ "${PERMISSION_PATTERN_MATCH}" = "true" ]; then
  echo "::warning::Skipping GitHub release creation ... gh output: ${GH_RELEASE_OUTPUT_SUMMARY}"
else
  echo "::error::${GH_RELEASE_OUTPUT}"
  exit "${GH_RELEASE_EXIT_CODE}"
fi

[bytestream]

@Theaxiom have you tried setting a PAT instead of using the built-in job token? That is the solution on the gh cli issue that I referenced earlier.

[Copilot]

Pull request overview

This PR updates the Scheduled Security Build workflow to prevent weekly scheduled runs from failing when gh release create cannot create a release due to GitHub Actions token permission constraints, while still failing hard on other release-creation errors.

Changes:

• Captures gh release create output + exit code without failing the step immediately.
• Classifies “permission denied/403” release-creation failures as warnings and continues the workflow.
• Truncates and normalizes gh output for warning annotations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Theaxiom]

@Theaxiom have you tried setting a PAT instead of using the built-in job token? That is the solution on the gh cli issue that I referenced earlier.

Thanks for the suggestion, I'm currently banging my head on it until it works. Should be resolved soon. 🤣

[Theaxiom]

@Theaxiom have you tried setting a PAT instead of using the built-in job token? That is the solution on the gh cli issue that I referenced earlier.

@bytestream all fixed now. 👍