Skip to content

Grant CI job required permissions in release workflow#436

Merged
dopey merged 1 commit intomasterfrom
max/fix-release-ci-permissions
Mar 19, 2026
Merged

Grant CI job required permissions in release workflow#436
dopey merged 1 commit intomasterfrom
max/fix-release-ci-permissions

Conversation

@dopey
Copy link
Copy Markdown
Contributor

@dopey dopey commented Mar 19, 2026

The ci job was inheriting only contents: read from the top-level permissions, but the called ci.yml workflow needs actions: read and security-events: write (for CodeQL). Caller permissions cap what reusable workflows can use, so those were silently denied.

Change-Type: ci
Release-Note: no
Audience: internal
Impact: low
Breaking: false

@dopey @claude
Grant CI job required permissions in release workflow
2c635ba 
The ci job was inheriting only `contents: read` from the top-level
permissions, but the called ci.yml workflow needs `actions: read`
and `security-events: write` (for CodeQL). Caller permissions cap
what reusable workflows can use, so those were silently denied.

Change-Type: ci
Release-Note: no
Audience: internal
Impact: low
Breaking: false
Co-Authored-By: Claude <noreply@anthropic.com>
@dopey dopey enabled auto-merge March 19, 2026 04:43
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Mar 19, 2026
@dopey dopey merged commit 857c451 into master Mar 19, 2026
31 checks passed
@dopey dopey deleted the max/fix-release-ci-permissions branch March 19, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@farhan687 farhan687 farhan687 approved these changes

Assignees

No one assigned

Labels

needs triage Waiting for discussion / prioritization by team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dopey @farhan687 @step-ci