Skip to content

[version bump] handlebars#85

Merged
maitxn merged 2 commits into
masterfrom
maitxn/version-bump-handlebars
Jun 11, 2026
Merged

[version bump] handlebars#85
maitxn merged 2 commits into
masterfrom
maitxn/version-bump-handlebars

Conversation

@maitxn

@maitxn maitxn commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Version bump: Updates the handlebars transitive dependency from 4.7.8 to 4.7.9 to resolve a batch of critical security advisories.
  • CI fix: Grants deployments: write permission to the test and deploy jobs so the action's delete-all / create steps can manage deployment statuses.

Why the CI fix is needed

The build-test run on this branch failed at the Delete all deployments step with:

HttpError: Resource not accessible by integration (403)
Delete all deployments failed
POST /repos/npm/action-deploy/deployments/:id/statuses

The job's GITHUB_TOKEN was running with the default read-only permission set:

Contents: read
Metadata: read
Packages: read

Invalidating a deployment requires POST .../deployments/:id/statuses, which needs deployments: write. Adding an explicit permissions block restores the required scope. This PR is not cross-repository, so the elevated token permission applies.

Changes

File Change
.github/workflows/test.yml Add permissions: deployments: write / contents: read to the test job
.github/workflows/deploy.yml Add permissions: deployments: write / contents: read to the deploy job
package-lock.json Bump handlebars 4.7.8 → 4.7.9

@maitxn maitxn self-assigned this Jun 10, 2026
@maitxn maitxn requested a review from Copilot June 10, 2026 20:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Fixes 403 'Resource not accessible by integration' when the delete-all
step invalidates deployments. GITHUB_TOKEN defaulted to read-only, so
POST /deployments/:id/statuses was rejected.
@maitxn maitxn merged commit 1ccc472 into master Jun 11, 2026
4 checks passed
@maitxn maitxn deleted the maitxn/version-bump-handlebars branch June 11, 2026 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants