From 9fff64020f22957a966db659bfa5afbefa87fcbc Mon Sep 17 00:00:00 2001
From: Steve Degosserie <723552+stiiifff@users.noreply.github.com>
Date: Fri, 12 Dec 2025 12:33:00 +0100
Subject: [PATCH] fix: Grant required permissions to reusable workflows in
 CI.yml (#355)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary

Fixes the CI failure introduced by #349 where reusable workflows
couldn't use the permissions they declared.

## Root Cause

When using `workflow_call` (reusable workflows), the **called workflow's
permissions are constrained by the caller**. A called workflow cannot
request more permissions than the calling workflow grants.

PR #349 added explicit permissions to individual workflows (e.g.,
`actions: write` in task-build-operator.yml), but removed them from
CI.yml. This caused failures because:

```
CI.yml (contents: read only)
    └── task-build-operator.yml (requests actions: write)
        └── FAILS: caller doesn't grant actions: write
```

## Fix

Grant the necessary permissions in CI.yml so called workflows can use
them:

```yaml
permissions:
  contents: read
  actions: write    # For artifact upload/download
  packages: write   # For ghcr.io push
```

## Why the individual workflow permissions still matter

The explicit permissions in called workflows are still valuable for:
1. **Documentation** - Makes the intent clear
2. **Direct invocation** - Works when called via `workflow_dispatch`
3. **Defense in depth** - If CI.yml grants more than needed, called
workflows still request only what they need

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/CI.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index c66e712b..dbb1eb44 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -11,10 +11,12 @@ on:
   pull_request:
     branches: [main]
 
-# Explicit minimal permissions
-# Note: Reusable workflows define their own permissions
+# Permissions granted to reusable workflows
+# Note: Called workflows (workflow_call) are constrained by these permissions
 permissions:
   contents: read
+  actions: write    # Required for artifact upload/download in build-operator, moonwall-tests
+  packages: write   # Required for docker-build-ci to push to ghcr.io
 
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}