[plan] Add actions: read permission to activation job when hash check API step is emitted #24972
Description
Context
Issue #24949 reports that the compiled activation job fails with Error: Resource not accessible by integration when the hash check step calls github.rest.actions.getWorkflowRun(). This requires the actions: read permission, but the compiler only emits contents: read in the activation job's permissions: block.
Root Cause
The compiler emits the check_workflow_timestamp_api.cjs step (which calls the Actions REST API) in the activation job, but does not add actions: read to the job's permissions:. Since GitHub Actions enforces explicit permissions when any permissions: block is present, the token lacks the required scope.
Required Fix
In the workflow compiler (likely in pkg/workflow/), when the check_workflow_timestamp_api.cjs step is emitted for the activation job:
- Locate where the activation job's
permissions:block is constructed - Add
actions: readto the permissions map whenever the hash check API step is included
Search for the relevant code with:
grep -r "check_workflow_timestamp_api\|contents.*read\|ActivationPermissions" pkg/workflow/ --include="*.go" -lFiles to Modify
- The Go compiler file(s) in
pkg/workflow/that build the activation job YAML (look forcontents: read,permissions, orcheck_workflow_timestamp_apireferences)
Acceptance Criteria
- Compiled activation job includes
actions: readin itspermissions:block when the hash check API step is present - Existing test for activation job permissions is updated (or new test added) to assert
actions: readis emitted - No regression in same-org scenarios
Related to Cross-org workflow_call: resolve_host_repo, checkout, and hash check all fail #24949
Generated by Plan Command for issue #24949 · ● 509.4K · ◷
- expires on Apr 8, 2026, 10:23 PM UTC