From 1daf2ab57a63d468a332f471d445965dbf8961c1 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 14 May 2026 16:03:39 +0000
Subject: [PATCH 1/2] ci: add permissions to caller jobs and upgrade
 release-please-action to v5

The release-please workflow fails with startup_failure because caller
jobs invoking ci.yml and publish.yml do not declare explicit permissions.
Also upgrades release-please-action from v4 to v5.

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 4a52298..5482a49 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
         id: release
         with:
           token: ${{secrets.GITHUB_TOKEN}}
@@ -24,11 +24,18 @@ jobs:
 
   ci:
     needs: ['release-please']
+    permissions:
+      id-token: write
     if: ${{ needs.release-please.outputs.releases_created == 'true' }}
     uses: ./.github/workflows/ci.yml
 
   publish:
     needs: ['release-please', 'ci']
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+      attestations: write
     if: ${{ needs.release-please.outputs.releases_created == 'true' }}
     uses: ./.github/workflows/publish.yml
     with:

From cae484446fd3f41e15d4d4f46c48034bbfeda504 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Thu, 14 May 2026 23:08:29 +0000
Subject: [PATCH 2/2] ci: add contents: read to ci caller job permissions

When a permissions block is specified, unmentioned permissions default
to none. The ci.yml reusable workflow needs contents: read for
actions/checkout.

Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
---
 .github/workflows/release-please.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 5482a49..9d9c245 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -26,6 +26,7 @@ jobs:
     needs: ['release-please']
     permissions:
       id-token: write
+      contents: read
     if: ${{ needs.release-please.outputs.releases_created == 'true' }}
     uses: ./.github/workflows/ci.yml