ci: release workflow #46
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| name: "Release a new version" | ||
| steps: | ||
| - name: Get auth token | ||
| id: token | ||
| uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 | ||
| with: | ||
| app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} | ||
| private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| token: ${{ steps.token.outputs.token }} | ||
| fetch-depth: 0 | ||
| - name: Prepare release | ||
| uses: getsentry/action-prepare-release@v1 | ||
| env: | ||
| GITHUB_TOKEN: ${{ steps.token.outputs.token }} | ||
| with: | ||
| version: ${{ github.event.inputs.version }} | ||
| force: ${{ github.event.inputs.force }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, we should add a permissions block to the workflow. The best way is to add it at the top level (just below the name: and before on:), so it applies to all jobs unless overridden. The minimal starting point is contents: read, but since the workflow checks out code and prepares releases (which may involve creating tags, releases, or modifying pull requests), we should ensure the permissions are sufficient for these actions. However, unless the workflow specifically needs to write to contents or pull requests, starting with contents: read is safest. If errors occur due to insufficient permissions, the block can be expanded. For now, add:
permissions:
contents: readdirectly after the name: line in .github/workflows/release.yml.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Prepare Release | ||
| on: | ||
| workflow_dispatch: |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| - name: registry | ||
| type: sdk | ||
| config: | ||
| canonical: 'github:getsentry/sentry-zig' |
There was a problem hiding this comment.
Bug: Registry Reference Mismatch Causes Tooling Issues
The canonical registry reference points to sentry-zig, but the github configuration specifies sentry-go. This inconsistency could cause release tooling to interact with or publish to the wrong repository.
No description provided.