Skip to content

Main => Prod#177

Merged
dor-eitan merged 42 commits intoprodfrom
main
Aug 7, 2025
Merged

Main => Prod#177
dor-eitan merged 42 commits intoprodfrom
main

Conversation

@dor-eitan
Copy link
Copy Markdown
Contributor

@dor-eitan dor-eitan commented Aug 7, 2025

No description provided.

dor-eitan and others added 30 commits May 20, 2025 11:08
@dor-eitan
feature: stream type analytics enrich (#145)
32947eb
@dor-eitan
bugfix: speak when textual (#144)
ce55d33 
* bugfix: speak when textual

* cr fixes

* cr fixes
@dor-eitan
bump version (#146)
b988a88
@benyael15
add rtt to report + add freeze to low_conn indicator
c74bc4b
@benyael15
fix build
a1b64e5
@benyael15
fix CR
af6add3
@benyael15
fix CR2
84a9fe2
@benyael15
format
5f138af
@dor-eitan
bugfix: mixpanel webrtc stats in fluent
5485668
@benyael15
Merge pull request #147 from de-id/low-conn/rtt_stat+connectivity_cal…
541c5b8 
…lback

Low conn/rtt stat+connectivity callback
@benyael15
Merge pull request #148 from de-id/bugfix/fluent-stream-stats-mixpanel
8ac2577 
bugfix: mixpanel webrtc stats in fluent
@benyael15
window.crypto
034c51f
@benyael15
Update index.ts
71e6430
@benyael15
Merge pull request #149 from de-id/soc/randomness-safty
14ec1e6 
window.crypto
@benyael15
-
f90d48a
@benyael15
Update app.tsx
b4f0d8c
@benyael15
-
3e44359
@benyael15
Merge pull request #150 from de-id/upgarde-node-types
1062f0b 
-
@osimhi213
Feature/enrich mixpanel with stream metadata (#153)
b33606f 
* enrich mixpanel events with stream metadata

* fix datachannel signal

* add mixpanel event of agent-chat with status ready

* CR

* CR

* CR
@osimhi213
chore: publish @d-id/client-sdk:v1.1.0-beta.12
d459364
@dor-eitan
Feature: interrupt (#152)
0634212 
* feature: interrupt

* feature: interrupt

* feature: interrupt

* make it more robust
@dor-eitan
chore: publish sdk v1.1.0-beta.13 (#154)
021f1f5
@dariusz-did
fixed greetings in playground
1f65d5b
@dariusz-did
Merge pull request #156 from de-id/fix/greetings-in-playground
8c2a84e 
fixed greetings in playground
@dor-eitan
bump version 1.1.0-beta.14 (#157)
108973e 
* bump version 1.1.0-beta.15

* bump version 1.1.0-beta.14
@dor-eitan
feature: interrupt type mixpanel event (#155)
a7056a1 
* feature: interrupt type mixpanel event

* extract type
@dor-eitan
bump version 1.1.0-beta.15 (#158)
450bceb
@dariusz-did
catched limit error
a6df5ed
@benyael15
Merge pull request #160 from de-id/fix/catch-limit-error
0055c57 
catched limit error
@dariusz-did
rename interruptEnabled func
cc15f01
dariusz-did and others added 11 commits July 21, 2025 11:34
@dariusz-did
Merge pull request #162 from de-id/feature/renamed-method
ced7eb1 
rename `interruptEnabled` func
@dor-eitan
chore: bump 1.1.0-beta.20 (#163)
bbd9b0a
@dor-eitan
feature: interrupt speak (#164)
583f3cd 
* feature: interrupt speak

* feature: interrupt speak
@dor-eitan
bugfix: allow to interrupt speak without chat open (#165)
0de3964
@ReutAtias3
Merge pull request #166 from de-id/refactor/report-event-on-start
83c7da1 
Report load event
@dariusz-did
video id from data channel (#170)
61e9bb0 
* videoId from DC

* typo
@dor-eitan @dani-did
Feature: sdk ci cd (#169)
d649e74 
* add workflows to prod and staging

* fix: update workflow names to reflect correct package identifiers

* feature: add E2E test dispatch after publishing to staging

* change org

* wip

* feat: enhance workflows with version bumping and environment testing options

* feat: add DEPLOYMENT documentation for staging and production workflows

* feat: implement production deployment workflows with E2E validation

* feat: add SDK environment management and E2E testing workflows

* feat: enhance deployment workflows with version management and E2E testing updates

* enhance ci/cd workflow

* change runner to medium

* fix yarn

* fix yarn

* fix yarn

* change agents-ui to prod branch, added manual trigger

* add manual workflow

* open pr to agents ui

* increase timeout

* Refactor E2E workflows: remove manual branch input, add concurrency settings

---------

Co-authored-by: Daniel Abitbul <daniel.abitbul@deidentification.co>
@dor-eitan
chore: bump version to 1.1.1 and update workflow names for clarity (#175
5a3840e 
)
@dariusz-did
removed queued interrupt logic (#174)
082d89f
@benyael15 @dor-eitan @dariusz-did
Feature/outer control mode (#173)
9238e46 
* add outer control mode

* exclude text creation from new mode

* add onStreamCreated callback

* rename chat mode

* put back websockets

* getting video id form socket (#168)

* adjustments before merge

---------

Co-authored-by: Niv Zelber <niv.zelber@deidentification.co>
Co-authored-by: Dor Eitan <dor.eitan@deidentification.co>
Co-authored-by: dariusz-did <dar.dudek@deidentification.co>
@dariusz-did
interrupt type extended (#176)
1ae25d6
github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 7, 2025
View reviewed changes
Comment thread .github/workflows/manual-e2e.yml
Comment on lines +19 to +106
runs-on: ${{ github.event.inputs.ui_branch == 'prod' && 'ubuntu-latest' || 'aws-medium' }}
timeout-minutes: 30
environment:
name: ${{ github.event.inputs.ui_branch == 'prod' && 'prod' || 'staging' }}
env:
ENV: ${{ github.event.inputs.ui_branch == 'prod' && 'prod' || 'staging' }}

steps:
- name: Checkout SDK branch
uses: actions/checkout@v4
with:
path: agents-sdk
ref: ${{ github.event.inputs.sdk_branch }}

- name: Setup Node.js for SDK
uses: actions/setup-node@v4
with:
node-version: 20
cache-dependency-path: agents-sdk/yarn.lock

- name: Install Yarn
run: npm install -g yarn

- name: Install SDK dependencies
working-directory: agents-sdk
run: yarn install --frozen-lockfile

- name: Build SDK
working-directory: agents-sdk
run: yarn build

- name: Pack SDK for testing
working-directory: agents-sdk
run: |
npm pack
echo "SDK_PACKAGE=$(ls *.tgz)" >> $GITHUB_ENV

- name: Checkout agents-ui branch
uses: actions/checkout@v4
with:
repository: de-id/agents-ui
ref: ${{ github.event.inputs.ui_branch }}
path: agents-ui
token: ${{ secrets.DEVOPS_TOKEN }}

- name: Set github environment variables
uses: rlespinasse/github-slug-action@v4

- name: Setup Node.js for agents-ui
uses: actions/setup-node@v4
with:
node-version: 20

- name: Render .npmrc for agents-ui
working-directory: agents-ui
run: |
if [ -f .npmrc.template ]; then
sed "s/\$NPM_AUTH_TOKEN/${{ secrets.NPM_TOKEN }}/g" .npmrc.template > .npmrc
fi

- name: Install local SDK build in agents-ui
working-directory: agents-ui
run: |
yarn remove @d-id/client-sdk || true
yarn add file:../agents-sdk/${{ env.SDK_PACKAGE }}
yarn install --frozen-lockfile

- name: Install Playwright Chrome
working-directory: agents-ui
run: yarn playwright install chrome

- name: Run E2E tests
working-directory: agents-ui
env:
E2E_USER_APIKEY: ${{ secrets.E2E_USER_APIKEY }}
VITE_CLIENT_KEY: ${{ secrets.VITE_CLIENT_KEY }}
ASSERT_CHAT_RESTART: 'false'
run: yarn test:${{ github.event.inputs.ui_branch == 'prod' && 'prod' || 'staging' }}

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: e2e-test-results-manual-${{ github.event.inputs.sdk_branch }}-${{ github.event.inputs.ui_branch }}
path: |
agents-ui/playwright-report/
agents-ui/test-results/
retention-days: 30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 9 months ago

To fix the problem, add a permissions block to the workflow to explicitly restrict the permissions granted to the GITHUB_TOKEN. The best way is to add the block at the root level of the workflow file, so it applies to all jobs unless overridden. For this workflow, the minimal required permission is likely contents: read, as the workflow checks out code and uploads artifacts but does not push changes or create pull requests. Add the following block after the name: and before the on: section:

permissions:
  contents: read

No additional imports, methods, or definitions are needed. Only a single block of YAML needs to be inserted.

Suggested changeset 1
.github/workflows/manual-e2e.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/manual-e2e.yml b/.github/workflows/manual-e2e.yml
--- a/.github/workflows/manual-e2e.yml
+++ b/.github/workflows/manual-e2e.yml
@@ -1,2 +1,4 @@
 name: Manual E2E Validation
+permissions:
+  contents: read
 
EOF
@@ -1,2 +1,4 @@
name: Manual E2E Validation
permissions:
contents: read

Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment thread .github/workflows/pr-main-e2e.yml
Comment on lines +14 to +101
runs-on: ubuntu-latest
timeout-minutes: 30
environment:
name: prod
env:
ENV: prod

steps:
- name: Checkout SDK branch
uses: actions/checkout@v4
with:
path: agents-sdk
ref: ${{ github.head_ref || github.ref_name }}

- name: Setup Node.js for SDK
uses: actions/setup-node@v4
with:
node-version: 20
cache-dependency-path: agents-sdk/yarn.lock

- name: Install Yarn
run: npm install -g yarn

- name: Install SDK dependencies
working-directory: agents-sdk
run: yarn install --frozen-lockfile

- name: Build SDK
working-directory: agents-sdk
run: yarn build

- name: Pack SDK for testing
working-directory: agents-sdk
run: |
npm pack
echo "SDK_PACKAGE=$(ls *.tgz)" >> $GITHUB_ENV

- name: Checkout agents-ui production branch
uses: actions/checkout@v4
with:
repository: de-id/agents-ui
ref: prod
path: agents-ui
token: ${{ secrets.DEVOPS_TOKEN }}

- name: Set github environment variables
uses: rlespinasse/github-slug-action@v4

- name: Setup Node.js for agents-ui
uses: actions/setup-node@v4
with:
node-version: 20

- name: Render .npmrc for agents-ui
working-directory: agents-ui
run: |
if [ -f .npmrc.template ]; then
sed "s/\$NPM_AUTH_TOKEN/${{ secrets.NPM_TOKEN }}/g" .npmrc.template > .npmrc
fi

- name: Install local SDK build in agents-ui
working-directory: agents-ui
run: |
yarn remove @d-id/client-sdk || true
yarn add file:../agents-sdk/${{ env.SDK_PACKAGE }}
yarn install --frozen-lockfile

- name: Install Playwright Chrome
working-directory: agents-ui
run: yarn playwright install chrome

- name: Run E2E tests against production
working-directory: agents-ui
env:
E2E_USER_APIKEY: ${{ secrets.E2E_USER_APIKEY }}
VITE_CLIENT_KEY: ${{ secrets.VITE_CLIENT_KEY }}
ASSERT_CHAT_RESTART: 'false'
run: yarn test:prod

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: e2e-test-results-main-pr-${{ github.event.number }}
path: |
agents-ui/playwright-report/
agents-ui/test-results/
retention-days: 30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 9 months ago

To fix the problem, add a permissions block to the workflow file. This can be done at the root level (applies to all jobs) or at the job level (applies only to the specific job). Since there is only one job in this workflow, either approach is valid, but the root-level block is preferred for clarity and future extensibility. The minimal starting point is contents: read, which allows the workflow to read repository contents but not write to them. If the workflow requires additional permissions (e.g., to upload artifacts, interact with issues, or pull requests), those should be added explicitly. In this case, the workflow uploads artifacts but does not require write access to repository contents, so contents: read is sufficient.

Add the following block after the name: and before the on: section:

permissions:
  contents: read

No additional imports or dependencies are required.

Suggested changeset 1
.github/workflows/pr-main-e2e.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-main-e2e.yml b/.github/workflows/pr-main-e2e.yml
--- a/.github/workflows/pr-main-e2e.yml
+++ b/.github/workflows/pr-main-e2e.yml
@@ -2,2 +2,5 @@
 
+permissions:
+  contents: read
+
 on:
EOF
@@ -2,2 +2,5 @@

permissions:
contents: read

on:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment thread .github/workflows/pr-prod-e2e.yml
Comment on lines +14 to +71
runs-on: ubuntu-latest
timeout-minutes: 30
environment:
name: prod
env:
ENV: prod

steps:
- name: Checkout agents-ui production branch
uses: actions/checkout@v4
with:
repository: de-id/agents-ui
ref: prod
path: agents-ui
fetch-depth: 0
lfs: true
token: ${{ secrets.GITHUB_TOKEN }}

- name: Set github environment variables
uses: rlespinasse/github-slug-action@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20

- name: Render .npmrc for agents-ui
working-directory: agents-ui
run: |
if [ -f .npmrc.template ]; then
envsubst < .npmrc.template > .npmrc
fi
env:
NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

- name: Install staging SDK version
working-directory: agents-ui
run: |
yarn remove @d-id/client-sdk || true
yarn add @d-id/client-sdk@staging
npm install -g yarn && yarn

- name: Run E2E tests against production environment
working-directory: agents-ui
env:
E2E_USER_APIKEY: ${{ secrets.E2E_USER_APIKEY }}
VITE_CLIENT_KEY: ${{ secrets.VITE_CLIENT_KEY }}
run: yarn test:prod

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4
with:
name: e2e-test-results-prod-pr-${{ github.event.number }}
path: |
agents-ui/playwright-report/
agents-ui/test-results/
retention-days: 30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 8 months ago

The fix is to add an explicit permissions block to the workflow, in accordance with best practice. This can be added either at the workflow root (so it applies to all jobs) or to the specific jobs that need different permissions. Since there is only one job in this workflow (e2e-validation), adding the block at the top level is the simplest and most effective solution and will cause all jobs to only allow read access to repository contents via GITHUB_TOKEN. If a job needs a specific write permission (e.g., for pull-requests, issues, etc.), additional scopes may be added as needed, but for this workflow, the minimal { contents: read } is recommended as a starting point. The change consists of inserting the following at the top level under the workflow name:

permissions:
  contents: read

This should be added after the name: key and before the on: block, specifically as line 2 in the file.

Suggested changeset 1
.github/workflows/pr-prod-e2e.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-prod-e2e.yml b/.github/workflows/pr-prod-e2e.yml
--- a/.github/workflows/pr-prod-e2e.yml
+++ b/.github/workflows/pr-prod-e2e.yml
@@ -1,4 +1,6 @@
 name: UI prod e2e with staging sdk build
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: UI prod e2e with staging sdk build
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Comment thread .github/workflows/publish-on-merge.yml
Comment on lines +16 to +210
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
cache: 'yarn'

- name: Install dependencies
run: yarn install --frozen-lockfile

- name: Build package
run: yarn build

- name: Determine version and tag
id: version
run: |
if [ "${{ github.ref_name }}" = "main" ]; then
# For main branch - staging versions with run number
BASE_VERSION=$(jq -r '.version' package.json)
if [ "$BASE_VERSION" = "null" ]; then
echo "Error: Could not read version from package.json"
exit 1
fi
CLEAN_VERSION=$(echo "$BASE_VERSION" | sed 's/-.*$//')
STAGING_VERSION="${CLEAN_VERSION}-staging.${{ github.run_number }}"
echo "version=$STAGING_VERSION" >> $GITHUB_OUTPUT
echo "tag=staging" >> $GITHUB_OUTPUT
echo "description=Staging release from main branch" >> $GITHUB_OUTPUT
echo "should_sync=false" >> $GITHUB_OUTPUT
else
# For prod branch - production versions
# Use npm version command (official npm way to bump versions)
NEW_VERSION=$(npm version patch --no-git-tag-version --silent)
NEW_VERSION=${NEW_VERSION#v} # Remove 'v' prefix if present
echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
echo "tag=latest" >> $GITHUB_OUTPUT
echo "description=Production release" >> $GITHUB_OUTPUT
echo "should_sync=true" >> $GITHUB_OUTPUT
fi

- name: Update package.json version
run: |
jq --arg version "${{ steps.version.outputs.version }}" '.version = $version' package.json > package.json.tmp

if ! jq empty package.json.tmp 2>/dev/null; then
echo "Error: Generated invalid JSON"
rm -f package.json.tmp
exit 1
fi

mv package.json.tmp package.json

echo "Updated package.json version to: $(jq -r '.version' package.json)"

- name: Publish to NPM
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then
echo "🔍 DRY RUN MODE: Would publish version ${{ steps.version.outputs.version }} with tag ${{ steps.version.outputs.tag }}"
echo "📦 Package would be published to: https://www.npmjs.com/package/@d-id/client-sdk/v/${{ steps.version.outputs.version }}"
echo "🏷️ NPM tag would be: ${{ steps.version.outputs.tag }}"
echo "✅ Dry run completed successfully - no actual publishing occurred"
else
echo "🚀 Publishing version ${{ steps.version.outputs.version }} with tag ${{ steps.version.outputs.tag }}"
npm publish --access public --tag ${{ steps.version.outputs.tag }}
echo "✅ Successfully published to NPM"
fi

- name: Create Git tag for production
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag "v${{ steps.version.outputs.version }}"
git push origin "v${{ steps.version.outputs.version }}"

- name: Commit version bump (prod only)
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add package.json
git commit -m "chore: bump version to ${{ steps.version.outputs.version }} [skip ci]" || echo "No changes to commit"
git push origin prod

- name: Sync version back to main (prod only)
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
run: |
# Fetch latest main
git fetch origin main
git checkout main
git pull origin main

jq --arg version "${{ steps.version.outputs.version }}" '.version = $version' package.json > package.json.tmp

if ! jq empty package.json.tmp 2>/dev/null; then
echo "Error: Generated invalid JSON"
rm -f package.json.tmp
exit 1
fi

mv package.json.tmp package.json

if git diff --quiet package.json; then
echo "No version changes needed"
else
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add package.json
git commit -m "chore: sync version ${{ steps.version.outputs.version }} from prod [skip ci]"
git push origin main
fi

- name: Create GitHub Release (prod only)
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v${{ steps.version.outputs.version }}
release_name: Release v${{ steps.version.outputs.version }}
body: |
## Release v${{ steps.version.outputs.version }}

**Published to NPM:** [@d-id/client-sdk@${{ steps.version.outputs.version }}](https://www.npmjs.com/package/@d-id/client-sdk/v/${{ steps.version.outputs.version }})

### Installation
```bash
npm install @d-id/client-sdk@${{ steps.version.outputs.version }}
```

${{ steps.version.outputs.description }}
draft: false
prerelease: false

- name: Checkout agents-ui repository
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
uses: actions/checkout@v4
with:
repository: de-id/agents-ui
token: ${{ secrets.GITHUB_TOKEN }}
path: agents-ui

- name: Update SDK version and create PR
if: github.ref_name == 'prod' && github.event.inputs.dry_run != 'true'
run: |
cd agents-ui

jq --arg version "${{ steps.version.outputs.version }}" '.dependencies."@d-id/client-sdk" = $version' package.json > package.json.tmp
mv package.json.tmp package.json

if git diff --quiet package.json; then
echo "No version changes needed in agents-ui"
exit 0
fi

git checkout -b "chore/bump-sdk-version-${{ steps.version.outputs.version }}"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add package.json
git commit -m "chore: bump @d-id/client-sdk to v${{ steps.version.outputs.version }}"
git push origin "chore/bump-sdk-version-${{ steps.version.outputs.version }}"

gh pr create \
--repo de-id/agents-ui \
--title "chore: bump @d-id/client-sdk to v${{ steps.version.outputs.version }}" \
--body "## SDK Version Update

This PR updates the @d-id/client-sdk dependency to version ${{ steps.version.outputs.version }}.

### Changes
- Updated @d-id/client-sdk from previous version to v${{ steps.version.outputs.version }}

### Related
- SDK Release: [v${{ steps.version.outputs.version }}](https://github.com/d-id/agents-sdk/releases/tag/v${{ steps.version.outputs.version }})
- NPM Package: [@d-id/client-sdk@${{ steps.version.outputs.version }}](https://www.npmjs.com/package/@d-id/client-sdk/v/${{ steps.version.outputs.version }})

### Next Steps
- [ ] Review the changes
- [ ] Run tests to ensure compatibility
- [ ] Merge when ready" \
--base main \
--head "chore/bump-sdk-version-${{ steps.version.outputs.version }}" \
--label "dependencies" \
--label "automated"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 9 months ago

To fix the problem, add a permissions block to the workflow to explicitly specify the minimum required permissions for the GITHUB_TOKEN. This can be done at the workflow root (applies to all jobs) or at the job level (applies to a specific job). The workflow needs to push commits/tags, create releases, and open pull requests, so it requires contents: write and pull-requests: write. It is best to set these at the workflow root for clarity and maintainability, unless some jobs require different permissions. The change should be made at the top level of .github/workflows/publish-on-merge.yml, immediately after the name: line and before the on: block.

Suggested changeset 1
.github/workflows/publish-on-merge.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/publish-on-merge.yml b/.github/workflows/publish-on-merge.yml
--- a/.github/workflows/publish-on-merge.yml
+++ b/.github/workflows/publish-on-merge.yml
@@ -1,2 +1,5 @@
 name: Auto Publish SDK
+permissions:
+  contents: write
+  pull-requests: write
 
EOF
@@ -1,2 +1,5 @@
name: Auto Publish SDK
permissions:
contents: write
pull-requests: write

Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@dor-eitan dor-eitan merged commit a697388 into prod Aug 7, 2025
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@dor-eitan @github-advanced-security @benyael15 @osimhi213 @dariusz-did @ReutAtias3