Skip to content

ci(release): grant contents:read to sync-templates caller job#1095

Merged
ascorbic merged 1 commit into
mainfrom
fix/release-workflow-sync-templates-permissions
May 18, 2026
Merged

ci(release): grant contents:read to sync-templates caller job#1095
ascorbic merged 1 commit into
mainfrom
fix/release-workflow-sync-templates-permissions

Conversation

@ascorbic
Copy link
Copy Markdown
Collaborator

@ascorbic ascorbic commented May 18, 2026

What does this PR do?

Fixes the release workflow, which has been failing with a startup error since the merge of #1059:

The nested job 'sync' is requesting 'contents: read', but is only allowed 'contents: none'.

release.yml sets permissions: {} at the workflow level (default-deny). The sync-templates reusable workflow's job declares permissions: contents: read, but a reusable-workflow job cannot exceed the calling job's permissions. Without an explicit grant on the caller, the nested job is denied and the entire workflow fails to start (no jobs run at all).

Grants contents: read on the sync-templates caller job in release.yml so the nested job is allowed to request it.

Example failed run: https://github.com/emdash-cms/emdash/actions/runs/26053444840

Closes #

Type of change

  • Bug fix
  • Feature (requires maintainer-approved Discussion)
  • Refactor (no behavior change)
  • Translation
  • Documentation
  • Performance improvement
  • Tests
  • Chore (dependencies, CI, tooling)

Checklist

  • I have read CONTRIBUTING.md
  • pnpm typecheck passes (n/a, workflow-only change)
  • pnpm lint passes (n/a, workflow-only change)
  • pnpm test passes (n/a, workflow-only change)
  • pnpm format has been run (n/a, YAML)
  • I have added/updated tests for my changes (if applicable) -- n/a
  • User-visible strings in the admin UI are wrapped for translation -- n/a
  • I have added a changeset -- n/a, CI-only
  • New features link to an approved Discussion -- n/a, bugfix

AI-generated code disclosure

  • This PR includes AI-generated code -- model/tool: Claude Opus 4.7

Screenshots / test output

n/a -- single workflow YAML change, will be verified by the next push to main.

@ascorbic
ci(release): grant contents:read to sync-templates caller job
682e5c2 
The release workflow uses default-deny (permissions: {}) at the
workflow level. The sync-templates reusable workflow's job requests
contents: read, but a reusable-workflow job cannot exceed the calling
job's permissions. Without an explicit grant on the caller, the
nested job is denied contents: read and the workflow fails to start.

Grants contents: read on the sync-templates caller job so the nested
job is allowed to request it.
Copilot AI review requested due to automatic review settings May 18, 2026 19:39
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 18, 2026

⚠️ No Changeset found

Latest commit: 682e5c2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 18, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 emdash-perf-coordinator 682e5c2 May 18 2026, 07:39 PM

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 18, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 emdash-i18n 682e5c2 May 18 2026, 07:40 PM

@ascorbic ascorbic enabled auto-merge (squash) May 18, 2026 19:40
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 18, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 docs 682e5c2 May 18 2026, 07:40 PM

Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a release workflow startup failure caused by nested job permissions exceeding the caller's. The workflow-level permissions: {} (default-deny) prevented the sync-templates reusable workflow's job (which requests contents: read) from being permitted. This adds an explicit contents: read grant on the caller job.

Changes:

  • Grant contents: read permission on the sync-templates caller job in release.yml.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 18, 2026

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1095

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1095

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1095

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1095

emdash

npm i https://pkg.pr.new/emdash@1095

create-emdash

npm i https://pkg.pr.new/create-emdash@1095

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1095

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1095

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1095

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1095

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1095

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1095

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1095

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1095

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1095

commit: 682e5c2

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 18, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 emdash-demo-cache 682e5c2 May 18 2026, 07:41 PM

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 18, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 emdash-playground 682e5c2 May 18 2026, 07:42 PM

@ascorbic ascorbic merged commit aaf021c into main May 18, 2026
41 checks passed
@ascorbic ascorbic deleted the fix/release-workflow-sync-templates-permissions branch May 18, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

area/ci cla: signed size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ascorbic