Michael Bolin 5332f6e215 fix: make publish-npm its own job with specific permissions (#3767) ...

The build for `v0.37.0-alpha.3` failed on the `Create GitHub Release`
step:

https://github.com/openai/codex/actions/runs/17786866086/job/50556513221

with:

```
⚠️ GitHub release failed with status: 403
{"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/releases/releases#create-a-release","status":"403"}
Skip retry — your GitHub token/PAT does not have the required permission to create a release
```

I believe I should have not introduced a top-level `permissions` for the
workflow in https://github.com/openai/codex/pull/3431 because that
affected the `permissions` for each job in the workflow.

This PR introduces `publish-npm` as its own job, which allows us to:

- consolidate all the Node.js-related steps required for publishing
- limit the reach of the `id-token: write` permission
- skip it altogether if is an alpha build

With this PR, each of `release`, `publish-npm`, and `update-branch` has
an explicit `permissions` block.

2025-09-16 22:55:53 -07:00

..

ci.yml

chore: upgrade to actions/setup-node@v5 (#3316)

2025-09-08 09:34:59 -07:00

cla.yml

Fix CLA link in workflow (#964)

2025-05-16 17:11:57 -07:00

codespell.yml

Skip frames files in codespell (#3606)

2025-09-14 18:00:23 -07:00

rust-ci.yml

fix: add check to ensure output of generate_mcp_types.py matches codex-rs/mcp-types/src/lib.rs (#3450)

2025-09-10 23:31:28 -07:00

rust-release.yml

fix: make publish-npm its own job with specific permissions (#3767)

2025-09-16 22:55:53 -07:00