Harden release permissions and git identity

mparkachov · mparkachov · commit 88accd291511 · 2026-01-03T20:48:23.000+01:00
diff --git a/docs/DEVELOPMENT.md b/docs/DEVELOPMENT.md
@@ -368,6 +368,7 @@ Replace `<ACCOUNT_ID>`, `<REGION>`, `<S3_BUCKET_PROD>`, and `<S3_BUCKET_DEV>` to
       "Action": [
         "serverlessrepo:ListApplications",
         "serverlessrepo:CreateApplication",
+        "serverlessrepo:GetApplication",
         "serverlessrepo:UpdateApplication",
         "serverlessrepo:CreateApplicationVersion",
         "serverlessrepo:CreateCloudFormationTemplate",
diff --git a/scripts/release.sh b/scripts/release.sh
@@ -23,6 +23,17 @@ template_wrapper="$root/template.yaml"
 template_arm64="$root/template-arm64.yaml"
 template_amd64="$root/template-amd64.yaml"
 
+ensure_git_identity() {
+  git_name=$(git config user.name 2>/dev/null || true)
+  git_email=$(git config user.email 2>/dev/null || true)
+  if [ -z "$git_name" ]; then
+    git config user.name "github-actions[bot]"
+  fi
+  if [ -z "$git_email" ]; then
+    git config user.email "github-actions[bot]@users.noreply.github.com"
+  fi
+}
+
 cd "$root"
 
 current_branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || true)
@@ -173,14 +184,7 @@ if ! gh auth status >/dev/null 2>&1; then
 fi
 
 if ! git diff --quiet HEAD -- "$template_wrapper" "$template_arm64" "$template_amd64"; then
-  git_name=$(git config user.name 2>/dev/null || true)
-  git_email=$(git config user.email 2>/dev/null || true)
-  if [ -z "$git_name" ]; then
-    git config user.name "github-actions[bot]"
-  fi
-  if [ -z "$git_email" ]; then
-    git config user.email "github-actions[bot]@users.noreply.github.com"
-  fi
+  ensure_git_identity
   git add "$template_wrapper" "$template_arm64" "$template_amd64"
   git commit -m "Release $version"
   git push origin "$current_branch"
@@ -210,6 +214,7 @@ if [ "$tag_exists" = "true" ]; then
   exit 0
 fi
 
+ensure_git_identity
 git tag -a "$version" -m "Release $version"
 git push origin "$version"
 
