Deletion fails with 403 Forbidden error

[iskunk]

Hello, I am trying to make use of delete-cache-action to help keep cache storage usage down.

My job first restores a cache from a previous run, then creates a new version of that cache, and then (in theory) deletes the original version. However, the third step is failing with a 403 error. Below are the relevant excerpts from the workflow log..

Restore cache version N:

Run actions/cache/restore@v4
  with:
    key: state-v9145879075
    restore-keys: state
    path: ~/state
    enableCrossOsArchive: false
    fail-on-cache-miss: false
    lookup-only: false
Cache Size: ~24 MB (25160254 B)
/usr/bin/tar -xf /home/runner/work/_temp/1419b25c-c093-484d-9aae-c657d4dac0c0/cache.tzst -P -C /home/runner/work/ungoogled-chromium-debian/ungoogled-chromium-debian --use-compress-program unzstd
Cache restored successfully
Cache restored from key: state-v9145796713

Save cache version N+1:

Run actions/cache/save@v4
/usr/bin/tar --posix -cf cache.tzst --exclude cache.tzst -P -C /home/runner/work/ungoogled-chromium-debian/ungoogled-chromium-debian --files-from manifest.txt --use-compress-program zstdmt
Cache Size: ~24 MB (25160483 B)
Cache saved successfully
Cache saved with key: state-v9145879075

Delete cache version N:

Run prantlf/delete-cache-action@9cd92c11982e90fb8d4be915fa53ba7aa213564f
Delete cache with key "state-v9145796713"
DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713
Warning: Error: DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713 failed: 403 Forbidden
Wait 7119.238406285331 ms before trying again
DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713
Warning: Error: DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713 failed: 403 Forbidden
Wait 6054.250496095973 ms before trying again
DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713
Error: Error: DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9145796713 failed: 403 Forbidden

The relevant bit from my workflow .yml file:

      - name: Delete previous version of persistent state
        if: ${{steps.restore-state.outputs.cache-matched-key}}
        uses: prantlf/delete-cache-action@9cd92c11982e90fb8d4be915fa53ba7aa213564f # v3.0.0
        with:
          key: ${{steps.restore-state.outputs.cache-matched-key}}

Do I need an auth token with more privileges than the default?

[slanton-a]

I think you need to add actions:write permission

[iskunk]

I think you need to add actions:write permission

I've confirmed that adding

  permissions:
    actions: write

to the job definition allows the action to work:

Run prantlf/delete-cache-action@9cd92c11982e90fb8d4be915fa53ba7aa213564f
  with:
    key: state-v9380131933
    token: ***
Delete cache with key "state-v9380131933"
DELETE https://api.github.com/repos/iskunk/ungoogled-chromium-debian/actions/caches?key=state-v9380131933
1 item deleted

However, there are two problems with this approach:

• This adds the permission to all steps of the job, instead of only delete-cache-action. (I tried adding it to the step, but this fails with an "Invalid workflow file" error);
• The documentation makes no mention of this being necessary. There is a token argument, but this is implied to be needed when accessing caches belonging to a different repository.

Is it correct behavior that a workflow can create a cache item with the default permissions, but requires greater access to delete one? That doesn't seem to follow.