feat(github-actions): enabled the permissions needed for the reusable workflow

Author: travi

src/semantic-release/ci-providers/github-workflows/lifter-test.js

@@ -26,6 +26,12 @@ suite('github-workflows lifter for semantic-release', () => {
   const reusableReleaseWorkflowReference = any.string();
   const modernReleaseJobDefinition = {
     needs: neededJobsToTriggerRelease,
+    permissions: {
+      contents: 'write',
+      'id-token': 'write',
+      issues: 'write',
+      'pull-requests': 'write'
+    },
     uses: reusableReleaseWorkflowReference,
     // eslint-disable-next-line no-template-curly-in-string
     secrets: {NPM_TOKEN: '${{ secrets.NPM_PUBLISH_TOKEN }}'}

src/semantic-release/ci-providers/github-workflows/lifter.js

@@ -34,6 +34,12 @@ export default async function ({projectRoot, nodeVersion}) {
     ...removeCycjimmyActionFrom(otherJobs),
     release: {
       needs: determineTriggerNeedsFrom(otherJobs),
+      permissions: {
+        contents: 'write',
+        'id-token': 'write',
+        issues: 'write',
+        'pull-requests': 'write'
+      },
       uses: determineAppropriateWorkflow(nodeVersion),
       // eslint-disable-next-line no-template-curly-in-string
       secrets: {NPM_TOKEN: '${{ secrets.NPM_PUBLISH_TOKEN }}'}

test/integration/features/step_definitions/github-workflows-steps.js

@@ -106,6 +106,15 @@ Then('the verification workflow calls the reusable release workflow', async func
   const releaseJob = verificationWorkflowJobs.release;
 
   assert.deepEqual(releaseJob.needs, ['verify']);
+  assert.deepEqual(
+    releaseJob.permissions,
+    {
+      contents: 'write',
+      'id-token': 'write',
+      issues: 'write',
+      'pull-requests': 'write'
+    }
+  );
 
   assert.equal(releaseJob.uses, 'form8ion/.github/.github/workflows/release-package.yml@master');
   // eslint-disable-next-line no-template-curly-in-string