From f40ecbb899f19d9d12c91a1d12a6f0086bdcdf6c Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.io>
Date: Sat, 21 Mar 2026 07:58:50 +0000
Subject: [PATCH] fix(workflows): add pull-requests permission and secrets:
 inherit to release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The shared plugin-release.yaml reusable workflow declares pull-requests: write
and uses it to create/merge the release PR. Calling workflows must grant all
permissions declared by reusable workflows or the job fails at startup.

Also adds secrets: inherit so org-level RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY
are forwarded to the external reusable workflow — without this they arrive empty
and the release is silently skipped.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/release.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 010e801..5299e32 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,9 +10,11 @@ on:
 
 permissions:
   contents: write
+  pull-requests: write
 
 jobs:
   release:
     uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
     with:
       version: ${{ inputs.version }}
+    secrets: inherit