From cfcc98c291ad979fa495435cdc9268dbb8e441f0 Mon Sep 17 00:00:00 2001 From: sherwinski Date: Tue, 19 May 2026 11:12:01 -0700 Subject: [PATCH 1/2] ci: grant pull-requests:write to Release (v3) workflow The `release / create_release` job (reusable workflow `OneSignal/sdk-shared/.github/workflows/create-release.yml`) calls `gh pr create`, which failed with `Resource not accessible by integration (createPullRequest)` because the caller workflow only granted `contents: write`. Reusable workflows cannot expand permissions beyond what the caller provides, so the token reached the job without `pull-requests: write`. Add it at the workflow scope so all jobs in the release pipeline can create/update PRs. --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ff83a8f..68ade51 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ on: permissions: contents: write + pull-requests: write jobs: prep: From aed68efc35a80e784b40eea4844bf1c6a6a50e32 Mon Sep 17 00:00:00 2001 From: sherwinski Date: Tue, 19 May 2026 11:38:02 -0700 Subject: [PATCH 2/2] ci: grant pull-requests:write to Release (v2) workflow `release-v2.yml` has the same structural issue as `release.yml`: its `release` job calls the reusable `OneSignal/sdk-shared/.github/workflows/create-release.yml`, which runs `gh pr create`. With only `contents: write` on the caller, the next v2 release dispatch would fail with the same `Resource not accessible by integration (createPullRequest)` error. Restore the v2/v3 lockstep maintained by #420 and #421. --- .github/workflows/release-v2.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release-v2.yml b/.github/workflows/release-v2.yml index d2a553f..c63c0ec 100644 --- a/.github/workflows/release-v2.yml +++ b/.github/workflows/release-v2.yml @@ -10,6 +10,7 @@ on: permissions: contents: write + pull-requests: write jobs: prep: