From c65b76e72777bff11612c972fa087fba9081572c Mon Sep 17 00:00:00 2001 From: Brandy Smith Date: Mon, 1 Dec 2025 11:25:26 -0500 Subject: [PATCH] chore(workflows): fix release workflow permissions (#30823) The workflow permissions update did not work due to it being nested in a workflow that only had `read` permissions. You can see a failing run here (scroll down to annotations): [19828029833](https://github.com/ionic-team/ionic-framework/actions/runs/19828029833) ``` Invalid workflow file: .github/workflows/release-orchestrator.yml#L71 The workflow is not valid. .github/workflows/release-orchestrator.yml (Line: 71, Col: 3): Error calling workflow 'ionic-team/ionic-framework/.github/workflows/release.yml@b4e540decc484bd22eb84484a8eb94f19b1790c1'. The nested job 'finalize-release' is requesting 'contents: write', but is only allowed 'contents: read'. .github/workflows/release-orchestrator.yml (Line: 71, Col: 3): Error calling workflow 'ionic-team/ionic-framework/.github/workflows/release.yml@b4e540decc484bd22eb84484a8eb94f19b1790c1'. The nested job 'update-package-lock' is requesting 'contents: write', but is only allowed 'contents: read'. ``` This updates the parent workflow to have `write` permissions. You can see a passing run here: [19828895682](https://github.com/ionic-team/ionic-framework/actions/runs/19828895682) Co-authored-by: Brandy Smith <6577830+brandyscarney@users.noreply.github.com> --- .github/workflows/release-orchestrator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml index 2c41ed516f..a0c05cbcd5 100644 --- a/.github/workflows/release-orchestrator.yml +++ b/.github/workflows/release-orchestrator.yml @@ -71,7 +71,7 @@ jobs: run-production: if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }} permissions: - contents: read + contents: write id-token: write uses: ./.github/workflows/release.yml secrets: inherit