From f87272f7ff66cf480c0b4a6931969513c496caf5 Mon Sep 17 00:00:00 2001 From: SoulPancake Date: Tue, 2 Jun 2026 11:28:52 +0530 Subject: [PATCH 1/3] chore: skip github release and use gpg signed tag flow --- release-please-config.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/release-please-config.json b/release-please-config.json index e33d3e2..615169c 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -2,8 +2,7 @@ "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", "release-type": "python", "pull-request-title-pattern": "release: v${version}", - "draft": true, - "force-tag-creation": true, + "skip-github-release": true, "packages": { ".": { "package-name": "", From c254dcbc359b4f6257499b5a9a3ce5384e12c0e2 Mon Sep 17 00:00:00 2001 From: SoulPancake Date: Tue, 2 Jun 2026 12:18:21 +0530 Subject: [PATCH 2/3] chore: point reusable workflows to openfga/.github --- .github/workflows/main.yaml | 2 +- .github/workflows/pr-title-conventional-commit.yml | 2 +- .github/workflows/release-please.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 6e40bba..a7125dc 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -122,4 +122,4 @@ jobs: needs: [publish] permissions: contents: write - uses: openfga/sdk-generator/.github/workflows/undraft-release.yml@main + uses: openfga/.github/.github/workflows/undraft-release.yml@main diff --git a/.github/workflows/pr-title-conventional-commit.yml b/.github/workflows/pr-title-conventional-commit.yml index e5061b0..9023236 100644 --- a/.github/workflows/pr-title-conventional-commit.yml +++ b/.github/workflows/pr-title-conventional-commit.yml @@ -10,5 +10,5 @@ jobs: pr-title-check: permissions: pull-requests: read - uses: openfga/sdk-generator/.github/workflows/pr-title-check.yml@main + uses: openfga/.github/.github/workflows/pr-title-check.yml@main diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 4672d6e..89d52f4 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -36,7 +36,7 @@ jobs: if: | github.event_name == 'workflow_dispatch' || startsWith(github.event.head_commit.message, 'release:') - uses: openfga/sdk-generator/.github/workflows/release-please.yml@main + uses: openfga/.github/.github/workflows/release-please.yml@main with: trigger-event: ${{ github.event_name }} bump-type: ${{ inputs.bump-type || 'auto' }} From 8a533d300b21a82b9e7239609c59dcc65b0ec166 Mon Sep 17 00:00:00 2001 From: SoulPancake Date: Tue, 2 Jun 2026 13:02:09 +0530 Subject: [PATCH 3/3] chore: add least-privilege top-level permissions to pr-title workflow --- .github/workflows/pr-title-conventional-commit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-title-conventional-commit.yml b/.github/workflows/pr-title-conventional-commit.yml index 9023236..748e0dd 100644 --- a/.github/workflows/pr-title-conventional-commit.yml +++ b/.github/workflows/pr-title-conventional-commit.yml @@ -6,6 +6,9 @@ on: branches: - main +permissions: + contents: read + jobs: pr-title-check: permissions: