Skip to content

fix(ci): add secrets inherit and permissions for release workflow OIDC#82

Merged
philcarbone merged 6 commits into
developfrom
fix/release-workflow-oidc
Feb 7, 2026
Merged

fix(ci): add secrets inherit and permissions for release workflow OIDC#82
philcarbone merged 6 commits into
developfrom
fix/release-workflow-oidc

Conversation

@philcarbone
Copy link
Copy Markdown
Contributor

@philcarbone philcarbone commented Feb 7, 2026

Summary

  • Adds secrets: inherit to the reusable workflow call for NuGet publish
  • Adds top-level permissions block with id-token: write for OIDC trusted publishing

Problem

The release workflow was failing with startup_failure because:

  1. The reusable workflow (nuget-publish.yml) needs OIDC tokens for trusted publishing
  2. Without secrets: inherit, the OIDC token permissions weren't being passed to the called workflow

Solution

  • Added secrets: inherit to pass token permissions to the reusable workflow
  • Added workflow-level permissions to ensure OIDC tokens are available

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 7, 2026
edited
Loading

📦 Version Information: 0.4.0-pr82.66

Property Value
SemVer 0.4.0-pr82.66
Full SemVer 0.4.0-pr82.66
Pre-release pr82.66

@codecov
Copy link
Copy Markdown

codecov Bot commented Feb 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

philcarbone and others added 4 commits February 7, 2026 10:41
@philcarbone @claude
fix(release): remove secrets: inherit to address Sonar security flag
8b1d498 
The nuget-publish.yml workflow uses OIDC trusted publishing which relies
on id-token permission, not repository secrets. The called workflow has
its own permissions block with id-token: write.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@philcarbone @claude
feat(ci): add automated cache cleanup workflows
23b7acc 
- cache-cleanup-pr.yml: Deletes caches when PRs are closed/merged
- cache-cleanup-scheduled.yml: Weekly cleanup (Sunday midnight UTC)
  Keeps newest 3 caches to stay under 10GB limit

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@philcarbone @claude
refactor(ci): remove PR cache cleanup, keep only scheduled
0257fb3 
PR-based cleanup would delete caches that can be shared across
PRs with identical dependencies. Weekly scheduled cleanup is
sufficient to stay under the 10GB limit.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@philcarbone @claude
fix(ci): exclude node_modules from SonarCloud analysis
f7ce373 
Prevents spurious Python/PLSQL warnings from node-gyp dependencies.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Feb 7, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@philcarbone @claude
fix(ci): skip SonarCloud analysis on PR branches
6813ff0 
SonarCloud plan doesn't support PR/branch analysis.
Only run on pushes to main or develop.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@philcarbone philcarbone merged commit e615674 into develop Feb 7, 2026
23 of 24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@philcarbone