feat(ci): auto-create github releases and add workflow permissions

waleedlatif1 · waleedlatif1 · commit 090532fc81a4 · 2026-01-26T13:18:56.000-08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   test-build:
     name: Test and Build
@@ -278,3 +281,30 @@ jobs:
     if: needs.check-docs-changes.outputs.docs_changed == 'true'
     uses: ./.github/workflows/docs-embeddings.yml
     secrets: inherit
+
+  # Create GitHub Release (only for version commits on main, after all builds complete)
+  create-release:
+    name: Create GitHub Release
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    needs: [create-ghcr-manifests, detect-version]
+    if: needs.detect-version.outputs.is_release == 'true'
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Create release
+        env:
+          GH_PAT: ${{ secrets.GITHUB_TOKEN }}
+        run: bun run scripts/create-single-release.ts ${{ needs.detect-version.outputs.version }}
diff --git a/.github/workflows/docs-embeddings.yml b/.github/workflows/docs-embeddings.yml
@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch: # Allow manual triggering
 
+permissions:
+  contents: read
+
 jobs:
   process-docs-embeddings:
     name: Process Documentation Embeddings
diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml
@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   migrate:
     name: Apply Database Migrations
diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/cli/**'
 
+permissions:
+  contents: read
+
 jobs:
   publish-npm:
     runs-on: blacksmith-4vcpu-ubuntu-2404
diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/python-sdk/**'
 
+permissions:
+  contents: write
+
 jobs:
   publish-pypi:
     runs-on: blacksmith-4vcpu-ubuntu-2404
diff --git a/.github/workflows/publish-ts-sdk.yml b/.github/workflows/publish-ts-sdk.yml
@@ -6,6 +6,9 @@ on:
     paths:
       - 'packages/ts-sdk/**'
 
+permissions:
+  contents: write
+
 jobs:
   publish-npm:
     runs-on: blacksmith-4vcpu-ubuntu-2404
diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml
@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-build:
     name: Test and Build
