ci: "prep / prepare_release" CI failure: grant write permissions and drop GH_PUSH_TOKEN

[Copilot]

release.yml and release-v2.yml both had permissions: contents: read, and GH_PUSH_TOKEN (owned by onesignal-deploy) was being used for git operations despite lacking write access to this repo — causing the prep / prepare_release job to fail with HTTP 403 on git push.

One Line Summary

Grant contents: write to GITHUB_TOKEN and stop passing GH_PUSH_TOKEN to reusable release workflows so github.token (github-actions[bot]) handles all git writes.

Motivation

CI failure: prep / prepare_release job (run 25891374319, job 76095096624).

remote: Permission to OneSignal/OneSignal-WordPress-Plugin.git denied to onesignal-deploy.
fatal: unable to access '...': The requested URL returned error: 403

Scope

• Affected: .github/workflows/release.yml, .github/workflows/release-v2.yml
• Not affected: Plugin PHP/JS/CSS code, tests, build artifacts

Changes per workflow file:

Location	Before	After
Top-level permissions	contents: read	contents: write
prep job secrets:	passes GH_PUSH_TOKEN	removed
bump job token:	${{ secrets.GH_PUSH_TOKEN || github.token }}	${{ github.token }}
release job secrets:	passes GH_PUSH_TOKEN	removed

Testing

Manual

1. Trigger the Release (v3) workflow via workflow_dispatch with a test version — confirm prep / prepare_release creates the release branch without a 403.
2. Confirm bump and release jobs complete successfully in sequence.

Unit / Integration

• composer test passes locally

Affected code checklist

• PHP plugin code (v3/)
• v2/ legacy code
• JS / CSS assets
• Build / CI
• Tests
• Documentation (README, readme.txt, etc.)

Checklist

• Code follows existing style in the touched files
• Tested manually in the relevant editor(s)
  • Gutenberg/Block editor
  • Classic editor
• No new lint or test errors introduced
• Linear ticket / GitHub issue linked above
• readme.txt and plugin version bumped if user-facing (release PRs only)