From 406dcc1eef6ff1708f4fa7c3fe6ad48119016182 Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@matrix.org>
Date: Wed, 23 Oct 2024 17:01:04 +0100
Subject: [PATCH 1/2] chore(ci): set permissions for dry-run of release

---
 .github/workflows/ci.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8f44d68..af7642b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,8 @@ jobs:
   lint:
     name: 'Lint'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,6 +39,8 @@ jobs:
   build-and-test:
     name: 'Build and Test'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -68,11 +72,6 @@ jobs:
       - name: Test Node from .nvmrc
         run: yarn test:nodejs
 
-      - name: Release dry-run
-        run: yarn release --dry-run --no-ci --branches "${{ github.base_ref || github.ref_name }}"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Switch to Node 20
         uses: actions/setup-node@v4
@@ -111,9 +110,11 @@ jobs:
 
   release:
     name: Semantic release
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     needs: [lint, build-and-test]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -138,7 +139,14 @@ jobs:
       - name: Install deps
         if: steps.cache-node_modules.outputs.cache-hit != 'true'
         run: yarn install --frozen-lockfile
+      - name: Release dry-run
+        if: github.event_name != 'push' || github.ref != 'refs/heads/main'
+        run: yarn release --dry-run --no-ci --branches "${{ github.base_ref || github.ref_name }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Release
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
         run: yarn release
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

From 7cfe77ab3f5d599924da373f8b31e99c70b3df6e Mon Sep 17 00:00:00 2001
From: Hugh Nimmo-Smith <hughns@matrix.org>
Date: Wed, 23 Oct 2024 17:03:50 +0100
Subject: [PATCH 2/2] chore: fix ref_name

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index af7642b..54b2798 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -141,7 +141,7 @@ jobs:
         run: yarn install --frozen-lockfile
       - name: Release dry-run
         if: github.event_name != 'push' || github.ref != 'refs/heads/main'
-        run: yarn release --dry-run --no-ci --branches "${{ github.base_ref || github.ref_name }}"
+        run: yarn release --dry-run --no-ci --branches "${{ github.ref_name }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}