Skip to content

ci: grant deployments:write to features workflow#2252

Merged
emptyhammond merged 1 commit into
mainfrom
fix/features-workflow-deployments-permission
Jul 1, 2026
Merged

ci: grant deployments:write to features workflow#2252
emptyhammond merged 1 commit into
mainfrom
fix/features-workflow-deployments-permission

Conversation

@emptyhammond

@emptyhammond emptyhammond commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

PR #2228 ("ci: harden workflows") scoped the GITHUB_TOKEN to least privilege. The features.yml build job calls the reusable workflow ably/features/.github/workflows/sdk-features.yml, which declares it requires:

permissions:
  deployments: write
  id-token: write

However features.yml granted only contents: read and id-token: write — missing deployments: write. A called reusable workflow cannot request a permission the caller did not grant, so this caused an invisible failure at workflow startup (the Features job never ran).

This restores the missing deployments: write permission.

Background

Flagged by @VeskeR on ably-dotnet#1328, who noted the same regression landed across multiple SDKs (ably-js, ably-python). Broken ably-js run: https://github.com/ably/ably-js/actions/runs/26302842757

Summary by CodeRabbit

  • Chores
    • Updated an automation workflow’s permissions to support deployment-related actions.

The sdk-features reusable workflow requires deployments:write and
id-token:write. PR #2228 scoped the GITHUB_TOKEN to least privilege but
omitted deployments:write, causing an invisible failure at workflow
startup. Add the missing permission.
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c0904913-e9ac-4767-a1ac-3f7fd99ea99a

📥 Commits

Reviewing files that changed from the base of the PR and between 13bd25d and 8d19aec.

📒 Files selected for processing (1)
  • .github/workflows/features.yml

Walkthrough

The workflow job permission set was extended to include deployments: write.

Changes

Workflow permissions update

Layer / File(s) Summary
Add deployments permission
.github/workflows/features.yml
The job-level permissions block now includes deployments: write.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • ably/ably-js#2229: Also changes .github/workflows/features.yml permissions in the same workflow, with related checkout credential handling updates.

Suggested reviewers

  • owenpearson

Poem

🐰 A little workflow hopped along,
With one new permission in its song.
Deployments now can take their place,
Under CI’s moonlit grace.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the workflow permission change by adding deployments:write to the features CI workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/features-workflow-deployments-permission

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@emptyhammond emptyhammond merged commit 86ee0e5 into main Jul 1, 2026
17 checks passed
@emptyhammond emptyhammond deleted the fix/features-workflow-deployments-permission branch July 1, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants