fix: release workflow also needs pull-requests: write permissions (#1…

…0816)
apollographql · Apr 27, 2023 · 1e8a86c · 1e8a86c
1 parent f45cde6
commit 1e8a86c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,8 +13,12 @@ jobs:
     # Prevents action from creating a PR on forks
     if: github.repository == 'apollographql/apollo-client'
     runs-on: ubuntu-latest
+    # Permissions necessary for Changesets to push a new branch and open PRs
+    # (for automated Version Packages PRs), and request the JWT for provenance.
+    # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
     permissions:
-      contents: read
+      contents: write
+      pull-requests: write
       id-token: write
     steps:
       - name: Checkout repo
@@ -33,6 +37,7 @@ jobs:
       - name: Append NPM token to .npmrc
         run: |
           cat << EOF > "$HOME/.npmrc"
+            provenance=true
             //registry.npmjs.org/:_authToken=$NPM_TOKEN
           EOF
         env:

diff --git a/.npmrc b/.npmrc
@@ -1,2 +1 @@
 legacy-peer-deps=true
-provenance=true