fix: Add required permissions for prerelease workflow

[aaronsteers]

Summary

Fixes the /prerelease slash command workflow which was failing with:

Error calling workflow 'airbytehq/PyAirbyte/.github/workflows/pypi_publish.yml'. 
The nested job 'publish' is requesting 'contents: write, id-token: write', 
but is only allowed 'contents: read, id-token: none'.

The fix adds the required permissions to prerelease-command.yml so it can call the nested pypi_publish.yml workflow:

• contents: write - Required by the publish job for GitHub release uploads (only used on tag pushes)
• id-token: write - Required for OIDC trusted publishing to PyPI

Review & Testing Checklist for Human

• Test the /prerelease command end-to-end by commenting /prerelease on a test PR after merging. This is the only way to verify the fix works since the workflow requires the slash command dispatch infrastructure.
• Verify OIDC publishing succeeds - If PyPI's trusted publisher is configured to expect a different workflow filename (e.g., publish.yml instead of pypi_publish.yml), publishing will fail with an explicit error. Check the workflow logs if it fails.

Notes

• The contents: write permission is broader than strictly needed for prereleases (which don't upload to GitHub releases), but is required because the nested publish job declares it at the job level.
• This workflow allows prereleases from fork PRs (per previous discussion), which combined with these elevated permissions is a security consideration - only maintainers can trigger the command.

Link to Devin run: https://app.devin.ai/sessions/c86d36be59664129af00617d0e66bc4d
Requested by: AJ Steers (@aaronsteers)

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions to enhance prerelease automation capabilities and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin Please refresh my memory on this one. IIRC:
1. We may already have a PR but I don't recall why it wasn't merged.
2. The destination-side fix (probably in the CDK) is to not care if a namespace is provided as null. (Difference between _not_ being sent or being sent _as null_ is a JSON delivery nuance.)

Thread URL: https://airbytehq-team.slack.com/archives/C08BHPUMEPJ/p1765591320408679

Quote of conversation (https://airbytehq-team.slack.com/archives/C06FZ238P8W/p1765588766040519?thread_ts=1765588766.040519&cid=C06FZ238P8W):
> From Biplove Jaisi
> Hi everyone :wave:

> I’m trying to use PyAirbyte to move data from an S3 source to an Iceberg destination. The sync from the source to DuckDB cache works fine, but when loading into Iceberg, I’m getting an error saying that the namespace cannot be null.

> The issue is that the S3 source doesn’t seem to have any field or config option to populate the namespace, so I’m not sure how to handle this requirement on the destination side.

> Has anyone faced this before or found a workaround? Any guidance would be really appreciated. Thanks in advance! :pray:
> Posted on December 13, 2025 at 01:19 AM

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1765670835-fix-prerelease-permissions' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1765670835-fix-prerelease-permissions'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte
• /prerelease - Builds and publishes a prerelease version to PyPI

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Updated GitHub Actions workflow permissions in the prerelease-command workflow by replacing contents: read with contents: write and adding id-token: write permission to support enhanced workflow capabilities.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Permissions .github/workflows/prerelease-command.yml	Modified permissions section: replaced contents: read with contents: write and added id-token: write. No changes to workflow steps or control flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Single configuration file with straightforward permission updates
• No logic or functional changes involved

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1765670835-fix-prerelease-permissions

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 60a087f and c5d436a.

📒 Files selected for processing (1)

• .github/workflows/prerelease-command.yml (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}