Skip to content

fix: add missing CodeQL permissions to release-please validate job#39

Merged
tolgakaratas merged 1 commit into
mainfrom
fix/release-please-permissions
Apr 5, 2026
Merged

fix: add missing CodeQL permissions to release-please validate job#39
tolgakaratas merged 1 commit into
mainfrom
fix/release-please-permissions

Conversation

@tolgakaratas

Copy link
Copy Markdown
Contributor

Summary

The validate job in release-please.yml calls build.yml via workflow_call. build.yml now contains a codeql job that requires actions: read and security-events: write. Without these permissions, the nested workflow fails:

Error calling workflow. The nested job 'codeql' is requesting 'actions: read, security-events: write', but is only allowed 'actions: none, security-events: none'.

Root Cause

PR #38 added permissions: { contents: read } to build.yml (for Token-Permissions alert #3). This restricts the default token scope. When build.yml is called via workflow_call from release-please.yml, the caller must grant the permissions the callee needs.

Fix

Add actions: read and security-events: write to the validate job's permissions block in release-please.yml.

Lesson Learned

When adding workflow-level permissions to a reusable workflow (workflow_call), all callers must be updated to grant the new permissions. This should be checked before merge.

Test plan

  • release-please.yml workflow passes without permission errors

The validate job calls build.yml which contains a codeql job requiring
actions:read and security-events:write. Without these permissions the
nested workflow fails with "requesting permissions not allowed".
@github-actions github-actions Bot added ci CI/CD changes docs Documentation labels Apr 4, 2026
@tolgakaratas tolgakaratas merged commit f6f8bc3 into main Apr 5, 2026
58 checks passed
@tolgakaratas tolgakaratas deleted the fix/release-please-permissions branch April 5, 2026 00:09
tolgakaratas pushed a commit that referenced this pull request Apr 27, 2026
🤖 I have created a release *beep* *boop*
---


##
[1.3.4](v1.3.3...v1.3.4)
(2026-04-06)


### Bug Fixes

* add missing CodeQL permissions to release-please validate job
([#39](#39))
([f6f8bc3](f6f8bc3))
* critical security fixes and agent compliance enforcement
([#38](#38))
([c21b7cc](c21b7cc))
* **deps:** update jsoup 1.10.3 → 1.17.2
([#47](#47))
([e1bfeb1](e1bfeb1))
* release lock on InterruptedException in ServerCommunication
([#43](#43))
([7b332c5](7b332c5))
* resolve CodeQL phase 2 security and quality alerts
([#41](#41))
([056df0f](056df0f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD changes docs Documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant