ci: grant actions:write to release job so it can trigger appstore-publish#4
Merged
Merged
Conversation
…lish The v1.1.1 release run failed on the final "Trigger App Store publish" step because the default GITHUB_TOKEN only carries read-level permission on actions, while `gh workflow run` requires actions:write. The signing workflow had to be triggered manually from a local gh CLI to complete the release. Adding the permission scopes the token correctly so future releases chain through without manual intervention.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The v1.1.1 release run (#25802254383) failed on the final
Trigger App Store publishstep:Cause: the default
GITHUB_TOKENprovided to the runner only carriesactions: read, butgh workflow runrequiresactions: writeto call the workflow dispatch API. The signing workflow (appstore-build-publish.yml) therefore had to be triggered manually from a localghCLI to complete the v1.1.1 release.What changes
Grants
actions: writeto the release job. This scopes the runner token correctly so that the chainedgh workflow run appstore-build-publish.ymlstep succeeds in-pipeline going forward.No code change beyond a single permission line; behaviour for everything else is identical.
Test plan
release.yml) should complete all steps, includingTrigger App Store publish, and the appstore-publish workflow should appear in the Actions tab without manual intervention.