Release by 18.03.2026 by Yakutoc · Pull Request #2611 · salute-developers/plasma

Yakutoc · 2026-03-17T13:13:23Z

Core

TextField

расширены примеры документации

PR

NumberInput

добавлено свойство displayWithoutValue для отображения компонента без значения
добавлено свойство limitBehavior для управления поведением кнопок при достижении граничных значений

PR

Sheet

добавлена функция cleanup для корректной работы с глобальным body.style.overflowY

PR

Price

расширили type для свойства currency до string, что бы можно было указать валидное значение из ISO 4217 (а не только из предустановленного списка)

PR

Attach

добавлен аргумент для callback onClear

PR

Popover

улучшены примеры документации
добавлен пример как избежать потерю скругления между компонентом и slot контейнером
добавлено наследование для border-radius на уровне popover.style

PR

SDDS-PLATFORM-AI

Rating, DateTimePicker, DatePicker

добавлены в поставку

PR

PLASMA-GIGA

Theme

изменено значение для токена SurfaceDefaultCard

PR

SDDS-CS

Button, IconButton

исправлен токен для buttonBackground на surface-solid-secondary

PR

Build

убрана поставка styled-components. По умолчанию стала emotion;

PR

# Conflicts: # packages/plasma-asdk/package.json

handle ISO 4217 for currency

replace `--surface-solid-primary` `--surface-solid-secondary`

.github/workflows/mcp-data-upload.yml

+        name: Upload ${{ matrix.package_name }} MCP data
+        if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+        runs-on: ubuntu-22.04
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    -   package_name: plasma-web
+                    -   package_name: plasma-b2c
+                    -   package_name: plasma-giga
+                    -   package_name: sdds-finai
+        steps:
+            -   name: Checkout manual ref
+                if: ${{ github.event_name == 'workflow_dispatch' }}
+                uses: actions/checkout@v4
+                with:
+                    show-progress: false
+
+            -   name: Checkout release commit
+                if: ${{ github.event_name == 'workflow_run' }}
+                uses: actions/checkout@v4
+                with:
+                    ref: ${{ github.event.workflow_run.head_sha }}
+                    show-progress: false
+
+            -   name: Prepare environment
+                uses: ./.github/actions/prepare-environment
+
+            -   name: Read ${{ matrix.package_name }} version
+                run: |
+                    PACKAGE_VERSION=$(node -p "require('./packages/${{ matrix.package_name }}/package.json').version")
+                    echo "PACKAGE_VERSION=$PACKAGE_VERSION" >> $GITHUB_ENV
+                    echo "S3_TARGET_VERSION_PATH=s3://${{ secrets.AWS_S3_BUCKET_2 }}/mcp/${{ matrix.package_name }}/$PACKAGE_VERSION/" >> $GITHUB_ENV
+                    echo "S3_TARGET_LATEST_PATH=s3://${{ secrets.AWS_S3_BUCKET_2 }}/mcp/${{ matrix.package_name }}/latest/" >> $GITHUB_ENV
+
+            -   name: Lerna bootstrap
+                uses: nick-fields/retry@v3
+                with:
+                    timeout_minutes: 30
+                    max_attempts: 2
+                    retry_on: error
+                    command: npx lerna bootstrap
+
+            -   name: Build ${{ matrix.package_name }}-docs
+                env:
+                    NODE_OPTIONS: "--max_old_space_size=10240"
+                run: npm run build --prefix="./website/${{ matrix.package_name }}-docs" -- --no-minify
+
+            -   name: Generate index
+                run: npm run generate-index --prefix="./website/${{ matrix.package_name }}-docs"
+
+            -   name: Generate MCP data
+                run: npm run generate-mcp-data --prefix="./website/${{ matrix.package_name }}-docs"
+
+            -   name: Install s3cmd
+                run: pip3 install s3cmd
+
+            -   name: Clean target S3 path
+                run: |
+                    s3cmd \
+                    --access_key ${{ secrets.AWS_ACCESS_KEY_ID }} \
+                    --secret_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} \
+                    --host ${{ secrets.AWS_ENDPOINT }} \
+                    --host-bucket ${{ secrets.AWS_ENDPOINT }} \
+                    --bucket-location ${{ secrets.AWS_REGION }} \
+                    --signature-v2 \
+                    del \
+                    --recursive \
+                    --force \
+                    ${{ env.S3_TARGET_VERSION_PATH }}
+
+            -   name: Upload MCP data to versioned s3 path
+                run: >
+                    s3cmd
+                    --access_key ${{ secrets.AWS_ACCESS_KEY_ID }}
+                    --secret_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                    --host ${{ secrets.AWS_ENDPOINT }}
+                    --host-bucket ${{ secrets.AWS_ENDPOINT }}
+                    --bucket-location ${{ secrets.AWS_REGION }}
+                    --signature-v2
+                    --delete-removed
+                    --no-mime-magic
+                    sync
+                    ./website/${{ matrix.package_name }}-docs/mcpData/
+                    ${{ env.S3_TARGET_VERSION_PATH }}
+
+            -   name: Clean latest S3 path
+                run: |
+                    s3cmd \
+                    --access_key ${{ secrets.AWS_ACCESS_KEY_ID }} \
+                    --secret_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} \
+                    --host ${{ secrets.AWS_ENDPOINT }} \
+                    --host-bucket ${{ secrets.AWS_ENDPOINT }} \
+                    --bucket-location ${{ secrets.AWS_REGION }} \
+                    --signature-v2 \
+                    del \
+                    --recursive \
+                    --force \
+                    ${{ env.S3_TARGET_LATEST_PATH }}
+
+            -   name: Upload MCP data to latest s3 path
+                run: >
+                    s3cmd
+                    --access_key ${{ secrets.AWS_ACCESS_KEY_ID }}
+                    --secret_key ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                    --host ${{ secrets.AWS_ENDPOINT }}
+                    --host-bucket ${{ secrets.AWS_ENDPOINT }}
+                    --bucket-location ${{ secrets.AWS_REGION }}
+                    --signature-v2
+                    --delete-removed
+                    --no-mime-magic
+                    sync
+                    ./website/${{ matrix.package_name }}-docs/mcpData/
+                    ${{ env.S3_TARGET_LATEST_PATH }}


In general, to fix this type of issue you explicitly define permissions: either at the workflow level (applies to all jobs) or for the specific job, limiting the GITHUB_TOKEN to the minimal scopes needed. For this workflow, the job only needs to read repository contents (for checkout); all deployment actions use AWS credentials via secrets and interact with S3 directly, not GitHub. So contents: read is sufficient and matches the minimal recommendation from CodeQL.

The best fix with no functional change is to add a permissions: block for the upload-mcp-data job (or at the workflow root). To keep the edit tightly scoped to the code shown, we’ll add it at the job level under upload-mcp-data:. Concretely, in .github/workflows/mcp-data-upload.yml, after line 12 (the job name:), insert:

permissions: contents: read

with indentation matching the existing YAML structure (8 spaces before permissions and 12 before contents). No additional imports or methods are required since this is a configuration-only change.

.github/workflows/publish-platform-ai.yml

+    name: Release PLATFORM-AI next branch
+    if: github.ref == 'refs/heads/next-platform-ai'
+    uses: ./.github/workflows/publish-common.yml
+    with:
+      auto-options: '--no-changelog'
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      npm_registry_token: ${{ secrets.NPM_REGISTRY_TOKEN }}


In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes to the GITHUB_TOKEN. This can be done at the workflow root (applying to all jobs without their own permissions) or at the job level. Here, there is a single publish job that delegates to a reusable workflow; the safest non-breaking change is to define conservative permissions at the workflow root, which the reusable workflow can still narrow further if needed.

Concretely, in .github/workflows/publish-platform-ai.yml, add a permissions: block after the on: section (before concurrency:). As a minimal secure default for a release/publish workflow, use read-only repository access unless you know it must write to contents, deployments, etc. Since we must avoid assumptions about additional behavior, we will restrict to contents: read and packages: read, which aligns with GitHub’s recommended minimal starting point and does not introduce new functionality. If publish-common.yml needs broader rights, it should declare them explicitly itself. No imports or additional methods are needed; this is purely a YAML configuration change.

.github/workflows/publish-sbcom.yml

+    name: Release SBCOM next branch
+    if: github.ref == 'refs/heads/next-sbcom'
+    uses: ./.github/workflows/publish-common.yml
+    with:
+      auto-options: '--no-changelog'
+    secrets:
+      gh_token: ${{ secrets.GH_TOKEN }}
+      npm_registry_token: ${{ secrets.NPM_REGISTRY_TOKEN }}


To fix the problem, add an explicit permissions block so the GITHUB_TOKEN rights are constrained instead of inheriting potentially broad repository defaults. Since this workflow only dispatches a reusable workflow and does not itself interact with repository contents, a safe minimal starting point is contents: read. If the reusable workflow needs broader rights, those should be declared in that workflow; here we only need to ensure this caller workflow is not implicitly granting write access.

The single best change that preserves existing behavior is to add a root‑level permissions section near the top of .github/workflows/publish-sbcom.yml, after the name (or before on:), with least‑privilege read access to repo contents. Concretely, in .github/workflows/publish-sbcom.yml, insert:

permissions: contents: read

between line 2 and line 3. No imports or additional definitions are required, as this is purely a YAML configuration change.

github-actions · 2026-03-17T13:16:36Z

Theme Builder app deployed!

https://plasma.sberdevices.ru/pr/plasma-theme-builder-pr-2611/

github-actions · 2026-03-17T13:45:54Z

Documentation preview deployed!

Yakutoc and others added 30 commits March 5, 2026 16:59

Merge remote-tracking branch 'origin/master' into dev

720fb04

docs(textfield): add example for cleaning logic [PLASMA-6734]

be84255

docs(textfield): rework doc examples [PLASMA-6734]

403210f

feat(new-hope): add Input

9a54431

feat(plasma-new-hope): add UserMessage AI-component

a72ab91

feat(plasma-new-hope): add tokens for nested DisclosureIcon

827b481

ci(publish): rework publish next tags

3b82f3c

feat(plasma-tokens): Add theme sdds_sbcom

92c89ec

feat(sdds-themes): Update sdds_sbcom theme

da23371

chore(asdk): fix storybook different version between core and package

cf79143

chore(asdk): fix storybook migration issue

ca188bc

ci(meta): fix build

b2f369d

docs(textfield): add readonly example [PLASMA-6609]

54d42be

fix(plasma-tokens): Update sdds_sbcom theme

44a7aef

fix(sdds-themes): Update sdds_sbcom theme

6e4d1ce

Merge remote-tracking branch 'origin/master' into dev

3fa128a

# Conflicts: # packages/plasma-asdk/package.json

ci: fix typo [no ci]

39ff41e

feat(docs): mcp

0dc6def

feat(plasma-new-hope): add layout-related props to NumberInput

21181b1

docs: refactor NumberInput docs

1336d51

feat: refactor & update tests for NumberInput

af07a6a

feat(plasma-giga): add index generation for plasma-giga

766b82d

feat(): add b2c and finai to the mcp

6438e62

fix(useOverflow): add cleanup function [PLASMA-6815]

1c72e3b

fix(price): Extend prop currency to string [PLASMA-6643]

0e3142f

handle ISO 4217 for currency

docs(storybook): Extend prop currency to string [PLASMA-6643]

90cdbaf

fix(attach): add file information to onClear callback [PLASMA-6720]

1753ab0

fix(storybook): fix storybook version [PLASMA-6720]

8a7101c

docs(storybook): enable font "Roboto"

8992332

fix(theme): update sdds_sbcom theme

6d356cc

Yakutoc and others added 10 commits March 17, 2026 10:07

fix: update config [PLASMA-6757]

dc05cbf

fix(stories): fix stories [PLASMA-6757]

00a56e4

docs: delete unnecessary components [PLASMA-6757]

5fbb603

docs: fix docs [PLASMA-6757]

7850d8d

fix(stories): fix stories [PLASMA-6757]

c7d99ac

fix(button): fix config [PLASMA-6871]

a812e1b

replace `--surface-solid-primary` `--surface-solid-secondary`

chore(cypress): update snapshots [PLASMA-6871]

82bc8df

feat(sdds-cs): remove styled-components from distribution

79c5097

Update versions

89d505b

fix(lock): update lock files

174bd5c

Yakutoc requested review from TitanKuzmich, Yeti-or, neretin-trike and shuga2704 as code owners March 17, 2026 13:13

Yakutoc temporarily deployed to internal March 17, 2026 13:13 — with GitHub Actions Inactive

Yakutoc requested a review from IgorYar March 17, 2026 13:14

Yakutoc changed the title ~~Release by 17.03.2026~~ Release by 18.03.2026 Mar 17, 2026

github-advanced-security bot found potential problems Mar 17, 2026

View reviewed changes

Yakutoc self-assigned this Mar 17, 2026

TitanKuzmich approved these changes Mar 17, 2026

View reviewed changes

feat(sdds-cs): remove disabled & size from Button stories controll

e8a3eb9

TitanKuzmich temporarily deployed to internal March 18, 2026 10:27 — with GitHub Actions Inactive

IgorYar approved these changes Mar 18, 2026

View reviewed changes

Yakutoc merged commit ddd447b into master Mar 18, 2026
48 checks passed

Yakutoc deleted the release_2025-03-18 branch March 18, 2026 12:03

Yakutoc mentioned this pull request Mar 31, 2026

Release by 31.03.2026 #2662

Closed

@@ -8,6 +8,10 @@
                       required: true
                       default: 'next-platform-ai'
+            permissions:
+              contents: read
+              packages: read
             concurrency:
               group: ${{ github.workflow }}-${{ github.ref }}
               cancel-in-progress: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release by 18.03.2026#2611

Release by 18.03.2026#2611
Yakutoc merged 65 commits intomasterfrom
release_2025-03-18

Yakutoc commented Mar 17, 2026 •

edited

Loading

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Conversation

Yakutoc commented Mar 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Core

TextField

NumberInput

Sheet

Price

Attach

Popover

SDDS-PLATFORM-AI

Rating, DateTimePicker, DatePicker

PLASMA-GIGA

Theme

SDDS-CS

Button, IconButton

Build

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

github-actions bot commented Mar 17, 2026

Uh oh!

github-actions bot commented Mar 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Yakutoc commented Mar 17, 2026 •

edited

Loading