Skip to content

fix(ci/release): grant contents:write to goreleaser job#309

Merged
shino merged 1 commit into
masterfrom
shino/releaser-permission
May 11, 2026
Merged

fix(ci/release): grant contents:write to goreleaser job#309
shino merged 1 commit into
masterfrom
shino/releaser-permission

Conversation

@shino
Copy link
Copy Markdown
Contributor

@shino shino commented May 11, 2026

Summary

  • The default GITHUB_TOKEN permissions are read-only in many repo/org configurations, which makes the goreleaser action fail at the scm releases step with 403 Resource not accessible by integration when trying to PATCH the GitHub Release. The sibling repo vulsio/go-cpe-dictionary hit exactly this on its v0.9.5 tag push.
  • Deny everything at the workflow level (permissions: {}) and grant contents: write only to the goreleaser job, following the least-privilege principle. Mirrors fix(ci/release): grant contents:write to goreleaser job go-cpe-dictionary#275.

Test plan

  • Push a release tag and confirm the GitHub Release is published successfully by goreleaser.

🤖 Generated with Claude Code

@shino @claude
fix(ci/release): grant contents:write to goreleaser job
994c956 
The default GITHUB_TOKEN permissions are read-only in many repo/org
configurations, which makes the goreleaser action fail at the "scm
releases" step with `403 Resource not accessible by integration`
when trying to PATCH the GitHub Release.

Deny everything at the workflow level (`permissions: {}`) and grant
`contents: write` only to the goreleaser job, following the
least-privilege principle. Mirrors vulsio/go-cpe-dictionary#275.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@shino shino requested a review from Copilot May 11, 2026 05:52
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the GitHub Actions GoReleaser workflow to follow least-privilege GitHub token permissions while still allowing GoReleaser to publish/update GitHub Releases on tag pushes.

Changes:

  • Set workflow-level token permissions to none (permissions: {}).
  • Grant contents: write only to the goreleaser job so the release step can modify GitHub Releases without 403 permission failures.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shino shino requested a review from MaineK00n May 11, 2026 06:04
MaineK00n
MaineK00n approved these changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@MaineK00n MaineK00n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@shino shino merged commit f88d353 into master May 11, 2026
11 checks passed
@shino shino deleted the shino/releaser-permission branch May 11, 2026 06:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shino @MaineK00n