fix(ci): address reviewer feedback on permissions and ordering

ashish921998 · claude · ashish921998 · commit f2d5eaae9a9b · 2026-04-27T23:56:34.000+05:30
- Remove id-token:write from both workflows (unused — no OIDC/provenance)
- Move HUSKY=0 before pnpm install in both workflows so install hooks
  can't fire before the env var is set
- Add comments on canary-temp.md lifecycle and CANARY_VERSION path
- Update stale version placeholder in CONTRIBUTING.md to x.y.z-nightly-&lt;sha&gt;

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
@@ -13,7 +13,6 @@ concurrency:
 permissions:
   contents: read
   pull-requests: write
-  id-token: write
 
 jobs:
   canary:
@@ -53,10 +52,10 @@ jobs:
           cache: pnpm
           registry-url: https://registry.npmjs.org
 
-      - run: pnpm install --frozen-lockfile
+      - run: echo "HUSKY=0" >> $GITHUB_ENV
         if: steps.check_sha.outputs.skip == 'false'
 
-      - run: echo "HUSKY=0" >> $GITHUB_ENV
+      - run: pnpm install --frozen-lockfile
         if: steps.check_sha.outputs.skip == 'false'
 
       - run: pnpm -r --filter '!@aoagents/ao-web' build
@@ -65,7 +64,8 @@ jobs:
       - name: Create snapshot versions
         if: steps.check_sha.outputs.skip == 'false'
         run: |
-          # If no changesets exist, create a minimal one so snapshot has something to work with.
+          # If no changesets exist (e.g. after a Version Packages merge), create a minimal one.
+          # changeset version --snapshot consumes and deletes it — no cleanup needed.
           if [ -z "$(ls .changeset/*.md 2>/dev/null | grep -vi 'README')" ]; then
             printf -- '---\n"@aoagents/ao": patch\n---\n\nchore: canary build\n' > .changeset/canary-temp.md
           fi
@@ -78,6 +78,7 @@ jobs:
         id: publish
         run: |
           pnpm changeset publish --tag nightly --no-git-tag
+          # packages/ao is the user-facing CLI package; update this path if the package is renamed.
           CANARY_VERSION=$(node -p "require('./packages/ao/package.json').version")
           echo "version=$CANARY_VERSION" >> "$GITHUB_OUTPUT"
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,6 @@ concurrency:
 permissions:
   contents: write
   pull-requests: write
-  id-token: write
 
 jobs:
   release:
@@ -27,8 +26,8 @@ jobs:
           node-version: 20
           cache: pnpm
           registry-url: https://registry.npmjs.org
-      - run: pnpm install --frozen-lockfile
       - run: echo "HUSKY=0" >> $GITHUB_ENV
+      - run: pnpm install --frozen-lockfile
       - run: pnpm -r --filter '!@aoagents/ao-web' build
       - uses: changesets/action@v1
         with:
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -80,7 +80,7 @@ Without this secret, both `release.yml` and `canary.yml` will fail at the publis
 ### After your PR merges (~15 min)
 The canary bot comments on your merged PR with the exact install command:
 ```bash
-npm install -g @aoagents/ao@0.2.5-nightly-abc1234
+npm install -g @aoagents/ao@x.y.z-nightly-<sha>
 ```
 
 ### Latest main at any time
