From 16f3df9c2630f923c2acbdb5a24d42bac2a2a601 Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Wed, 17 Jun 2026 12:06:22 +0100
Subject: [PATCH 1/2] fix(ci): grant failure-handler job write permissions in
 foas release workflow

release-foas-lib.yml sets a least-privilege top-level `permissions: contents: read`,
but the failure-handler reusable workflow it calls requires `contents: write` and
`issues: write` to open a Jira ticket. A called workflow cannot exceed the calling
job's permissions, so GitHub rejected the workflow as invalid. Grant those
permissions on the failure-handler job.
---
 .github/workflows/release-foas-lib.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release-foas-lib.yml b/.github/workflows/release-foas-lib.yml
index 135973d873..e7b03eca49 100644
--- a/.github/workflows/release-foas-lib.yml
+++ b/.github/workflows/release-foas-lib.yml
@@ -52,6 +52,9 @@ jobs:
     name: Failure Handler
     needs: [ run-tests, create-tag ]
     if: ${{ always() && contains(needs.*.result, 'failure') }}
+    permissions:
+      contents: write # failure-handler.yml requires these to open a Jira ticket / issue
+      issues: write
     uses: ./.github/workflows/failure-handler.yml
     with:
       env: "prod"

From 04870565f7fa72026b5e34bd1de8f33c9b29fb33 Mon Sep 17 00:00:00 2001
From: Yeliz Henden <yeliz.henden@mongodb.com>
Date: Wed, 17 Jun 2026 12:09:11 +0100
Subject: [PATCH 2/2] fix comments

---
 .github/workflows/release-foas-lib.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/release-foas-lib.yml b/.github/workflows/release-foas-lib.yml
index e7b03eca49..5e7ecbefdb 100644
--- a/.github/workflows/release-foas-lib.yml
+++ b/.github/workflows/release-foas-lib.yml
@@ -27,7 +27,6 @@ jobs:
     needs: [ run-tests ]
     permissions:
       contents: write # required to push the release tag
-    # Tag is created only when tests pass (or are explicitly skipped).
     if: >-
       !cancelled()
       && !contains(needs.*.result, 'failure')
@@ -53,7 +52,7 @@ jobs:
     needs: [ run-tests, create-tag ]
     if: ${{ always() && contains(needs.*.result, 'failure') }}
     permissions:
-      contents: write # failure-handler.yml requires these to open a Jira ticket / issue
+      contents: write #required to open a Jira ticket / issue
       issues: write
     uses: ./.github/workflows/failure-handler.yml
     with: