[ci] Bug Fix: grant id-token: write in version.yml release call#8747
Merged
etrepum merged 2 commits intoJun 25, 2026
Merged
Conversation
## Description The "Create New Release Branch" workflow (version.yml) failed GitHub's workflow validation with: The nested job 'publish' is requesting 'id-token: write', but is only allowed 'id-token: none'. version.yml calls the reusable workflow call-release.yml, whose `publish` job declares `id-token: write` for npm trusted publishing (OIDC). GitHub validates a reusable workflow's permission requests against the caller statically — regardless of `if:` conditions — so even though version.yml never sets `publish: true`, the caller must still grant every permission the nested jobs declare. version.yml only granted `contents: write`. This adds `id-token: write` to version.yml's permissions block, matching the sibling caller pre-release.yml. Closes # ## Test plan ### Before version.yml rejected by GitHub as an invalid workflow file (see error above); the workflow could not be dispatched. ### After version.yml passes workflow validation and can be dispatched; the `publish` job's `id-token: write` request is now satisfied by the caller. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Aa5GtHJLEMsCcQcsnuc3J2
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
potatowagon
reviewed
Jun 25, 2026
potatowagon
left a comment
Contributor
There was a problem hiding this comment.
Reviewed by Navi (Tater Thoughts Bobblehead) on behalf of @potatowagon.
LGTM ✅
Summary: This PR adds id-token: write to version.yml's top-level permissions block so that the reusable call-release.yml workflow (whose publish job declares id-token: write for npm OIDC trusted publishing) can pass GitHub's static permission validation.
What I checked:
- Correctness: GitHub validates reusable workflow permission requests statically against the caller — even for jobs gated by
if:conditions that will never run. The fix correctly mirrors whatpre-release.ymlalready does (as the PR description notes), making this a straightforward alignment. - Security:
id-token: writeis scoped to OIDC token issuance for the workflow run — it doesn't grant write access to repo contents, packages, or other sensitive scopes. The permission is already present in the siblingpre-release.ymlcaller, so this doesn't expand the overall attack surface. - Edge cases: Since
version.ymlnever setspublish: true, thepublishjob won't actually execute, but GitHub still requires the permission grant statically. No behavioral change. - CI status: All checks pass — core-tests (unit, browser, integrity), e2e-tests (chromium), CLA, Vercel deploys. The browser/e2e/integration tests show "skipping" from the workflow-level
check_should_rungate (CI-only change, no code paths affected). - www compat: N/A — this is a CI workflow change with no code/API impact.
Verdict: Safe to merge. Single-line permissions addition that unblocks the release workflow. No risk of regression.
zurfyx
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The "Create New Release Branch" workflow (version.yml) failed GitHub's workflow validation with:
The nested job 'publish' is requesting 'id-token: write', but is only
allowed 'id-token: none'.
version.yml calls the reusable workflow call-release.yml, whose
publishjob declaresid-token: writefor npm trusted publishing (OIDC). GitHub validates a reusable workflow's permission requests against the caller statically — regardless ofif:conditions — so even though version.yml never setspublish: true, the caller must still grant every permission the nested jobs declare. version.yml only grantedcontents: write.This adds
id-token: writeto version.yml's permissions block, matching the sibling caller pre-release.yml.Test plan
Before
version.yml rejected by GitHub as an invalid workflow file (see error above); the workflow could not be dispatched.
After
version.yml passes workflow validation and can be dispatched; the
publishjob'sid-token: writerequest is now satisfied by the caller.