ci(go-lib): grant id-token and attestations to release caller template#163
Conversation
The go-lib release.yml caller granted only `contents: write`, but the golib-create-release reusable workflow's release job requests `id-token: write` (cosign keyless) and `attestations: write` (#16). A called reusable workflow requesting more permissions than the caller grants fails at startup, so every go-lib repo's release workflow startup-failed on its first tag since the migration (observed on netresearch/go-cron v0.15.0). Mirror the go-app template, which already grants all three. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Actions release workflow for the Go library template to include 'id-token: write' and 'attestations: write' permissions. There are no review comments, and I have no additional feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
Fixes a GitHub Actions permission mismatch in the go-lib release caller template so that repositories using this template can successfully invoke the golib-create-release.yml reusable workflow (which requires id-token: write for keyless Cosign signing and attestations: write for GitHub attestations).
Changes:
- Extend the
templates/go-librelease workflow caller job permissions to includeid-token: write. - Extend the
templates/go-librelease workflow caller job permissions to includeattestations: write. - Align go-lib’s release caller permissions with the reusable workflow’s
releasejob requirements (and the existing go-app template pattern).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Problem
The
go-librelease.yml caller template grants onlycontents: write, but thegolib-create-releasereusable workflow'sreleasejob requestsid-token: write(cosign keyless) andattestations: write(added in #16). A called reusable workflow cannot request more permissions than the calling job grants, so the run fails at startup.This was observed on netresearch/go-cron v0.15.0 — the first release tag in a go-lib repo since the reusable-workflow migration. Its Release workflow startup-failed with "workflow file issue".
Fix
Grant the go-lib caller
id-token: writeandattestations: writein addition tocontents: write— mirroring thego-apptemplate, which already has all three.Impact
Affects every repo consuming the
go-libtemplate's release workflow. After merge, those repos pick up the fix on their next template sync.