mirror of
https://github.com/datahaven-xyz/datahaven
synced 2026-05-24 09:50:01 +00:00
9fff64020f
## Summary Fixes the CI failure introduced by #349 where reusable workflows couldn't use the permissions they declared. ## Root Cause When using `workflow_call` (reusable workflows), the **called workflow's permissions are constrained by the caller**. A called workflow cannot request more permissions than the calling workflow grants. PR #349 added explicit permissions to individual workflows (e.g., `actions: write` in task-build-operator.yml), but removed them from CI.yml. This caused failures because: ``` CI.yml (contents: read only) └── task-build-operator.yml (requests actions: write) └── FAILS: caller doesn't grant actions: write ``` ## Fix Grant the necessary permissions in CI.yml so called workflows can use them: ```yaml permissions: contents: read actions: write # For artifact upload/download packages: write # For ghcr.io push ``` ## Why the individual workflow permissions still matter The explicit permissions in called workflows are still valuable for: 1. **Documentation** - Makes the intent clear 2. **Direct invocation** - Works when called via `workflow_dispatch` 3. **Defense in depth** - If CI.yml grants more than needed, called workflows still request only what they need Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| workflow-templates | ||
| workflows | ||
| CODEOWNERS | ||