fix(release): unblock v0.8.0 dispatch by dropping smoke job permissions override#480
Merged
Conversation
The v0.8.0-rc.1 dispatch (run 25639883562) failed Layer 1 readiness with
RELEASE_READINESS_WORKFLOW_PERMISSIONS — `jobs.smoke.permissions.contents`
was `read` but the readiness check enforces strict equality with the
top-level `contents: write` value (scripts/lib/release-readiness.ts
diagnosticsForPermissions, line ~852).
Drop the job-level `permissions:` block so smoke inherits the top-level
{ contents: write, attestations: write, id-token: write } block. The
reusable smoke-test workflow is read-only in practice (npm pack +
install + CLI smoke); the inherited write scopes are unused.
Comment block in release.yml header already says "job-level overrides
may only narrow, never widen" — the actual readiness check enforces
equality, not subset. The narrowing-allowed semantics is documented as
intent (line ~775) but the implementation is exact-match. Either the
comment is wrong or the check is too strict; aligning the workflow with
the implementation unblocks v0.8.0-rc.1 / v0.8.0 dispatch immediately.
A follow-up may relax the readiness check.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The v0.8.0-rc.1 dispatch (run 25639883562) failed Layer 1 readiness with `RELEASE_READINESS_WORKFLOW_PERMISSIONS` because `jobs.smoke.permissions.contents` is `read` but the readiness check enforces strict equality against the top-level `contents: write` (`scripts/lib/release-readiness.ts` `diagnosticsForPermissions`, line ~852).
Drop the smoke job's `permissions:` block so it inherits the top-level `{ contents: write, attestations: write, id-token: write }`. The reusable smoke-test workflow is read-only in practice (`npm pack` + install + CLI smoke); the inherited write scopes are unused.
Why this is a fix and not a check change
The release.yml header comment block (lines 53-63) says "job-level overrides may only narrow, never widen", and `scripts/lib/release-readiness.ts` line ~775 says "Each job-level block — if present — must also be a subset of the least-privilege set". But the actual implementation in `diagnosticsForPermissions` (line ~852) requires `actual === expected` for every permission key on every job — not subset, not narrowing. Smoke's `contents: read` is therefore a violation under the current check.
Two ways to fix:
Option 1 unblocks v0.8.0 dispatch immediately. Option 2 is a separate PR — the comment block already advertises subset semantics, so the implementation is the bug, not the intent. Filed as follow-up after v0.8.0 ships.
Test plan
Out of scope
🤖 Generated with Claude Code