Skip to content

Scope patch release workflow write permissions to its job#3342

Merged
theletterf merged 1 commit into
masterfrom
infosec-readonly-token-perms
Jun 16, 2026
Merged

Scope patch release workflow write permissions to its job#3342
theletterf merged 1 commit into
masterfrom
infosec-readonly-token-perms

Conversation

@theletterf

@theletterf theletterf commented Jun 16, 2026

Copy link
Copy Markdown
Member

Summary

  • add permissions: {} at the workflow level for patch-release-version-bump.yml
  • grant contents: write and pull-requests: write only to the create-pull-request job
  • keep the workflow compatible with a read-only default GITHUB_TOKEN

Contributes to elastic/docs-actions#187.

Test plan

  • Reviewed the workflow to confirm it uses secrets.GITHUB_TOKEN for create-pull-request
  • Verified the diff only scopes the required explicit permissions
  • Optional: run the workflow in GitHub if runtime confirmation is needed

Made with Cursor

@theletterf @codex @cursoragent
Scope patch release workflow write permissions to its job.
46ba815 
Deny permissions by default at the workflow level and grant `contents: write` plus `pull-requests: write` only to the job that creates the bump PR, so the workflow stays compatible with a read-only default token.

Co-authored-by: OpenAI <noreply@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@theletterf theletterf requested a review from a team as a code owner June 16, 2026 07:55
@theletterf theletterf requested a review from technige June 16, 2026 07:55
@theletterf theletterf mentioned this pull request Jun 16, 2026
Closed
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

A documentation preview will be available soon.

Request a new doc build by commenting
  • Rebuild this PR: run docs-build
  • Rebuild this PR and all Elastic docs: run docs-build rebuild

run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.

If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.

@theletterf theletterf enabled auto-merge (squash) June 16, 2026 07:59
@theletterf theletterf merged commit e8fc018 into master Jun 16, 2026
4 of 5 checks passed
@theletterf theletterf deleted the infosec-readonly-token-perms branch June 16, 2026 08:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reakaleek reakaleek reakaleek approved these changes
@technige technige Awaiting requested review from technige technige is a code owner automatically assigned from elastic/docs-engineering

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theletterf @reakaleek