Skip to content

ci: scope release env and OIDC permissions to master#1799

Merged
bdraco merged 1 commit into
masterfrom
ci/scope-release-permissions
Jun 21, 2026
Merged

ci: scope release env and OIDC permissions to master#1799
bdraco merged 1 commit into
masterfrom
ci/scope-release-permissions

Conversation

@bdraco

@bdraco bdraco commented Jun 21, 2026

Copy link
Copy Markdown
Member

Summary

The single release job held id-token: write, contents: write, and the release environment on every trigger including pull requests, even though it only published on master; this splits it into two jobs so PR runs no longer carry release credentials.

Details

  • release-dry-run runs on PRs and non-master pushes with only contents: read, no environment and no OIDC, just the python-semantic-release dry run.
  • release runs only on master and keeps the release environment, id-token: write and contents: write scoped to that job, so the privileges never apply to untrusted PR code.
  • The branch-name git switch now reads the ref from an env var instead of interpolating it straight into the run script.

Same split already adopted in pySwitchbot and nexia; resolves the dbus-fast issue tracked at Bluetooth-Devices/dbus-fast#769, which also affects this repo.

Test plan

  • YAML parses clean (yaml.safe_load)
  • CI dry-run job runs on this PR, publish job stays skipped

@bdraco bdraco marked this pull request as ready for review June 21, 2026 23:49
@codecov

codecov Bot commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.77%. Comparing base (868f28f) to head (df9bb9e).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1799   +/-   ##
=======================================
  Coverage   99.77%   99.77%           
=======================================
  Files          33       33           
  Lines        3540     3540           
  Branches      498      498           
=======================================
  Hits         3532     3532           
  Misses          5        5           
  Partials        3        3

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@codspeed-hq

codspeed-hq Bot commented Jun 21, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 21 untouched benchmarks

Comparing ci/scope-release-permissions (df9bb9e) with master (868f28f)1

Open in CodSpeed

Footnotes

  1. No successful run was found on master (5333fc5) during the generation of this report, so 868f28f was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@bdraco bdraco merged commit 5be5d60 into master Jun 21, 2026
34 checks passed
@bdraco bdraco deleted the ci/scope-release-permissions branch June 21, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdraco