Fix publish workflow permissions

[esezen]

No description provided.

[Copilot]

Pull request overview

This PR updates the main Publish GitHub Actions workflow to explicitly grant token permissions needed by downstream reusable workflows (NPM trusted publishing via OIDC, AWS OIDC for CDN deploy, and GitHub Pages for Storybook).

Changes:

• Added a workflow-level permissions block granting id-token: write, contents: write, and pages: write to the publish pipeline.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow-level permissions block grants id-token: write and pages: write to all jobs (including update_package_version), which increases blast radius if any step/action in those jobs is compromised. Prefer setting minimal permissions per job (especially for the reusable-workflow call jobs) so only the NPM/CDN/Pages deployments get id-token: write/pages: write, while version/tag/release steps get only the specific contents scope they need.

[constructor-claude-bedrock]

Code Review Results

✅ Strengths

The fix correctly addresses the OIDC permission propagation issue for reusable workflow calls by explicitly setting the required permissions at the caller job level.

🚨 Critical Issues

None.

⚠️ Important Issues

• [File: .github/workflows/publish.yml Lines: 81-83, 92-94] The added permissions blocks are correct in intent, but it's worth understanding why they are necessary: GitHub Actions does not automatically inherit top-level permissions from a reusable workflow's own definition back to the caller. When a job calls a reusable workflow via workflow_call, the OIDC token (id-token: write) must be explicitly granted at the calling job level in addition to the called workflow defining it. Without this, the OIDC-based authentication (NPM Trusted Publishers / AWS OIDC) will fail.

  However, a concern remains: the publish_to_cdn job at line 89 only declares contents: read and id-token: write, but the publish-cdn.yml workflow requires AWS OIDC (id-token: write) which is covered. This looks correct.

  Suggestion: Add an inline comment explaining why these permission blocks are needed (similar to the comment in publish-npm.yml line 21–26 and publish-cdn.yml line 21–26), so future maintainers understand this is not redundant:

  publish_to_npm:
    name: Publish to NPM
    needs: [create_github_release, update_package_version]
    # Required to pass OIDC token to the reusable workflow for NPM Trusted Publishers auth
    permissions:
      id-token: write
      contents: read

💡 Suggestions

• [File: .github/workflows/publish.yml Line: 100] The deploy_storybook job (line 100–103) has no explicit permissions block. If that reusable workflow also requires specific permissions in the future, it would silently fail. Consider auditing deploy-storybook.yml to confirm its permission requirements are met.

• [File: .github/workflows/publish.yml Line: 124] The final_deployment_notification job uses ravsamhq/notify-slack-action@v2 (unpinned floating tag) while other usages of the same action in the file are pinned to a commit SHA (@bca2d7f5660b833a27bda4f6b8bef389ebfefd25). This is a pre-existing inconsistency, but worth fixing for supply-chain security consistency.

Overall Assessment: ✅ Pass