From 0ee1f94b615837adcb69860215b2e02d4e89273d Mon Sep 17 00:00:00 2001 From: Luis Mendez Date: Sun, 10 May 2026 23:30:45 +0200 Subject: [PATCH] fix(release): drop smoke job permissions override; inherit top-level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.8.0-rc.1 dispatch (run 25639883562) failed Layer 1 readiness with RELEASE_READINESS_WORKFLOW_PERMISSIONS — `jobs.smoke.permissions.contents` was `read` but the readiness check enforces strict equality with the top-level `contents: write` value (scripts/lib/release-readiness.ts diagnosticsForPermissions, line ~852). Drop the job-level `permissions:` block so smoke inherits the top-level { contents: write, attestations: write, id-token: write } block. The reusable smoke-test workflow is read-only in practice (npm pack + install + CLI smoke); the inherited write scopes are unused. Comment block in release.yml header already says "job-level overrides may only narrow, never widen" — the actual readiness check enforces equality, not subset. The narrowing-allowed semantics is documented as intent (line ~775) but the implementation is exact-match. Either the comment is wrong or the check is too strict; aligning the workflow with the implementation unblocks v0.8.0-rc.1 / v0.8.0 dispatch immediately. A follow-up may relax the readiness check. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f9b5edb9b..9659cacd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -74,8 +74,15 @@ jobs: smoke: name: Smoke test (release gate) uses: ./.github/workflows/smoke-test.yml - permissions: - contents: read + # No job-level `permissions:` block — `scripts/lib/release-readiness.ts` + # `diagnosticsForPermissions` enforces strict equality between job-level + # and top-level permission values (line ~852: "is `` but must be + # ``"). A `contents: read` override here failed Layer 1 + # readiness on the v0.8.0-rc.1 dispatch (run 25639883562). The smoke job + # therefore inherits the top-level `{ contents: write, attestations: + # write, id-token: write }` block. The reusable smoke-test workflow is + # read-only in practice (npm pack + install + CLI smoke); the inherited + # write scopes are unused. release: name: Manual GitHub Release