Add documentation and instructions for fixing release workflow permissions

Copilot · huangyiirene · Copilot · commit 645e907991ef · 2026-01-16T17:56:27.000Z
Co-authored-by: huangyiirene &lt;7665279+huangyiirene@users.noreply.github.com&gt;
diff --git a/.github/RELEASE_SETUP.md b/.github/RELEASE_SETUP.md
@@ -0,0 +1,143 @@
+# Release Workflow Setup Guide
+
+This guide explains how to configure the repository and organization settings required for the automated release workflow to function correctly.
+
+## Problem
+
+If you encounter the following error in the Release workflow:
+
+```
+GitHub Actions is not permitted to create or approve pull requests
+```
+
+This means the required repository setting is not enabled.
+
+## Solution
+
+GitHub has a security setting that controls whether GitHub Actions workflows can create pull requests. This setting must be enabled for the `changesets/action` to create release PRs automatically.
+
+### For Organization Repositories
+
+If your repository belongs to an organization (like `objectstack-ai/objectql`), you must enable the setting at **both** the organization and repository levels:
+
+#### Step 1: Enable at Organization Level
+
+1. Navigate to your organization settings:
+   ```
+   https://github.com/organizations/YOUR_ORG/settings/actions
+   ```
+   Replace `YOUR_ORG` with your organization name (e.g., `objectstack-ai`)
+
+2. Under **Actions > General > Workflow permissions**:
+   - Scroll down to find the section "Workflow permissions"
+   - Check the box: **☑ Allow GitHub Actions to create and approve pull requests**
+   - Click **Save**
+
+> **Note:** You must be an organization owner to change these settings.
+
+#### Step 2: Enable at Repository Level
+
+After enabling at the organization level, enable it for the specific repository:
+
+1. Navigate to your repository settings:
+   ```
+   https://github.com/YOUR_ORG/YOUR_REPO/settings/actions
+   ```
+   For this repo: `https://github.com/objectstack-ai/objectql/settings/actions`
+
+2. Under **Actions > General > Workflow permissions**:
+   - Check the box: **☑ Allow GitHub Actions to create and approve pull requests**
+   - Click **Save**
+
+> **Note:** This option may be grayed out until you enable it at the organization level first.
+
+### For Personal Repositories
+
+If your repository is under a personal account (not an organization):
+
+1. Navigate to your repository settings:
+   ```
+   https://github.com/USERNAME/REPO/settings/actions
+   ```
+
+2. Under **Actions > General > Workflow permissions**:
+   - Check the box: **☑ Allow GitHub Actions to create and approve pull requests**
+   - Click **Save**
+
+## How the Release Workflow Works
+
+Once the settings are enabled:
+
+1. **On merge to `main`**: The workflow runs automatically
+2. **Changesets detected**: If there are `.changeset/*.md` files, the action:
+   - Creates/updates a PR titled "Version Packages"
+   - Updates CHANGELOG.md files
+   - Bumps package.json versions
+3. **Manual merge**: When you merge the "Version Packages" PR:
+   - The workflow publishes packages to npm
+   - Creates GitHub releases with tags
+
+## Troubleshooting
+
+### Error: "GitHub Actions is not permitted to create or approve pull requests"
+
+**Cause**: The repository/organization setting is not enabled.
+
+**Solution**: Follow the steps above to enable the setting.
+
+### Error: "Resource not accessible by integration"
+
+**Cause**: The workflow doesn't have sufficient permissions.
+
+**Solution**: The workflow already has the correct permissions defined:
+```yaml
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+```
+
+If you still see this error, check that you haven't restricted the `GITHUB_TOKEN` permissions in your repository settings.
+
+### The workflow runs but doesn't create a PR
+
+**Cause**: There are no changesets to process.
+
+**Solution**: Contributors should add changesets for their changes:
+```bash
+pnpm changeset
+```
+
+This creates a markdown file in `.changeset/` describing the change and version bump type.
+
+## Security Considerations
+
+Enabling "Allow GitHub Actions to create and approve pull requests" is safe when:
+
+- ✅ Your workflow files (`.github/workflows/`) are protected by branch protection rules
+- ✅ You review workflow changes in PRs before merging
+- ✅ You trust the actions used in your workflows (we use official actions from `changesets`, `actions`, and `pnpm`)
+
+The default `GITHUB_TOKEN` has limited scope and cannot:
+- Push to protected branches without passing checks
+- Bypass branch protection rules
+- Access organization secrets beyond those explicitly granted
+
+## Additional Resources
+
+- [GitHub Docs: Managing GitHub Actions settings](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository)
+- [Changesets Documentation](https://github.com/changesets/changesets)
+- [GitHub Blog: Prevent Actions from creating PRs](https://github.blog/changelog/2022-05-03-github-actions-prevent-github-actions-from-creating-and-approving-pull-requests/)
+
+## Quick Reference
+
+| Level | URL Template | Required For |
+|-------|-------------|--------------|
+| **Organization** | `https://github.com/organizations/{ORG}/settings/actions` | Organization repos (enable first) |
+| **Repository** | `https://github.com/{ORG}/{REPO}/settings/actions` | All repos (enable after org) |
+| **Personal** | `https://github.com/{USER}/{REPO}/settings/actions` | Personal repos only |
+
+---
+
+**Last Updated**: January 2026  
+**Maintainer**: ObjectStack AI Team
diff --git a/.github/WORKFLOWS.md b/.github/WORKFLOWS.md
@@ -42,6 +42,12 @@ This document describes all the GitHub Actions workflows configured for the Obje
 - Publishes packages to npm when merged
 - Requires NPM_TOKEN secret
 
+**⚠️ Setup Required:** This workflow requires enabling a GitHub setting. See [RELEASE_SETUP.md](RELEASE_SETUP.md) for detailed setup instructions.
+
+**Common Issues:**
+- Error: "GitHub Actions is not permitted to create or approve pull requests"
+  - **Solution:** Enable the setting at organization/repository level (see setup guide)
+
 ### 📝 [changelog-preview.yml](workflows/changelog-preview.yml) ✨ NEW
 **Purpose:** Preview changelog before release  
 **Triggers:** Pull Requests  
@@ -182,6 +188,19 @@ The following secrets need to be configured in repository settings:
 - `NPM_TOKEN` - For publishing packages to npm (required by release.yml)
 - `CODECOV_TOKEN` - For uploading coverage reports (optional for coverage.yml)
 
+## Required Repository Settings
+
+### Release Workflow
+
+For the release workflow to create pull requests automatically, you must enable:
+
+**Repository Settings > Actions > General > Workflow permissions**
+- ☑ Allow GitHub Actions to create and approve pull requests
+
+For organization repositories, this must also be enabled at the organization level first.
+
+**📖 See [RELEASE_SETUP.md](RELEASE_SETUP.md) for complete setup instructions and troubleshooting.**
+
 ---
 
 ## Workflow Status Badges
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,16 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+# IMPORTANT: For this workflow to work, you must enable the following setting:
+# Repository Settings > Actions > General > Workflow permissions
+# ☑ Allow GitHub Actions to create and approve pull requests
+# 
+# For organizations: This must be enabled at the organization level first:
+# Organization Settings > Actions > General > Workflow permissions
+# ☑ Allow GitHub Actions to create and approve pull requests
+#
+# See: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests
+
 permissions:
   contents: write
   issues: write
diff --git a/README.md b/README.md
@@ -295,6 +295,28 @@ If you fork or clone the repository to contribute or run examples from source:
    # Output: Plugin initialization, Employee creation logs, Audit trails
    ```
 
+### For Repository Maintainers
+
+#### Release Process Setup
+
+The repository uses automated releases via Changesets. To enable the release workflow:
+
+1. Configure required GitHub settings (organization owners only):
+   - See [.github/RELEASE_SETUP.md](.github/RELEASE_SETUP.md) for detailed instructions
+   
+2. Add required secrets:
+   - `NPM_TOKEN`: Token for publishing to npm
+
+#### Adding Changes
+
+When making changes, add a changeset describing the change:
+
+```bash
+pnpm changeset
+```
+
+This creates a file in `.changeset/` that will be used to generate changelogs and version bumps.
+
 ---
 
 ## ⚖️ License
