From b146f92b72d3a500ce40ee52e4a873df3b2a1cdf Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 14 May 2026 16:03:30 +0000
Subject: [PATCH] ci: add permissions to release-sdk caller job

The release-please workflow fails with startup_failure because the
caller job invoking publish.yml does not declare explicit permissions.
This causes the reusable workflow's permission requirements to exceed
the restricted defaults.

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 480d33d..9c0e2a0 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -20,6 +20,10 @@ jobs:
 
   release-sdk:
     needs: ['release-please']
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
     if: ${{ needs.release-please.outputs.release-created == 'true' }}
     uses: ./.github/workflows/publish.yml
     with: