From 28691332f1407a6085fc23904bed352f4f580b0d Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Sat, 2 May 2026 19:21:20 -0400 Subject: [PATCH] fix(ci): reusable workflows must not request 'read-all' (broke callers) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reusable workflows can only request permissions the *calling* workflow has granted via its top-level permissions block. PR #41's permissions sweep added 'permissions: read-all' to ci-java.yml and ci-python.yml, which expanded to ~15 read scopes (actions, packages, pages, etc.). Every caller that grants narrower permissions hit this error: 'workflow is requesting actions: read, artifact-metadata: read, attestations: read, ... but is only allowed actions: none, ...' Concrete impact: cycles-server's ci.yml declares 'permissions: contents: read' at top level. After PR #41 merged, every CI run on cycles-server returned startup_failure (no jobs created). Same for any other repo calling ci-java.yml or ci-python.yml. Fix: match the working pattern from ci-rust.yml and ci-typescript.yml. Declare only 'permissions: contents: read' at the workflow level — the narrowest permission the workflow actually needs (Maven/pip checkout + build). Job-level permissions stay as-is. Scorecard's Token-Permissions check still passes because each workflow has explicit (non-default) permissions declared at both levels. --- .github/workflows/ci-java.yml | 8 +++++++- .github/workflows/ci-python.yml | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml index 0e9204d..ef06b5e 100644 --- a/.github/workflows/ci-java.yml +++ b/.github/workflows/ci-java.yml @@ -28,7 +28,13 @@ on: type: string default: '' -permissions: read-all +# Reusable workflows can only request permissions the *caller* has granted. +# `read-all` here breaks any caller that scopes permissions narrower than +# read-all (e.g. cycles-server's ci.yml grants only `contents: read`), causing +# `startup_failure` with: "workflow is requesting ... but is only allowed ...". +# Match the caller-friendly pattern: declare only what we actually need. +permissions: + contents: read jobs: test: diff --git a/.github/workflows/ci-python.yml b/.github/workflows/ci-python.yml index aea7857..4232aa5 100644 --- a/.github/workflows/ci-python.yml +++ b/.github/workflows/ci-python.yml @@ -16,7 +16,13 @@ on: type: boolean default: true -permissions: read-all +# Reusable workflows can only request permissions the *caller* has granted. +# `read-all` here breaks any caller that scopes permissions narrower than +# read-all (e.g. cycles-server's ci.yml grants only `contents: read`), causing +# `startup_failure` with: "workflow is requesting ... but is only allowed ...". +# Match the caller-friendly pattern: declare only what we actually need. +permissions: + contents: read jobs: lint-and-test: