Skip to content

fix: grant contents/pull-requests write to sync_actions reusable workflow call#20613

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-release-workflow-error
Mar 12, 2026
Merged

fix: grant contents/pull-requests write to sync_actions reusable workflow call#20613
pelikhan merged 3 commits intomainfrom
copilot/fix-release-workflow-error

Conversation

Copy link
Contributor

Copilot AI commented Mar 12, 2026

The sync_actions job calls sync-actions.yml@main, which internally declares contents: write, pull-requests: write. The compiler always emits permissions: {} at the workflow top-level, so without explicit job-level permissions on the calling job, the reusable workflow is denied those permissions.

Changes

  • release.md: Added permissions: contents: write, pull-requests: write to the sync_actions job definition
  • release.lock.yml: Recompiled — permissions now appear on the sync_actions job
sync_actions:
  needs: ["pre_activation", "activation", "config", "push_tag"]
  uses: github/gh-aw-actions/.github/workflows/sync-actions.yml@main
  with:
    ref: ${{ needs.config.outputs.release_tag }}
  secrets: inherit
  permissions:
    contents: write
    pull-requests: write

Copilot AI and others added 2 commits March 11, 2026 22:48
Initial plan
5c8015b
@pelikhan
fix: add permissions to sync_actions job in release.md
823e8fd 
The sync_actions job calls a reusable workflow (sync-actions.yml) that
requires contents: write and pull-requests: write. Since the compiler
always writes permissions: {} at the top-level of lock files, the
calling job must explicitly grant the required permissions.

Adds permissions: contents: write, pull-requests: write to the
sync_actions job in release.md and recompiles release.lock.yml.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan pelikhan marked this pull request as ready for review March 12, 2026 00:23
Copilot AI review requested due to automatic review settings March 12, 2026 00:23
@pelikhan pelikhan merged commit 609de9b into main Mar 12, 2026
47 checks passed
@pelikhan pelikhan deleted the copilot/fix-release-workflow-error branch March 12, 2026 00:24
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a permissions denial when the sync_actions job calls a reusable workflow (sync-actions.yml@main) that requires elevated token scopes.

Changes:

  • Adds explicit job-level permissions (contents: write, pull-requests: write) to sync_actions in the source workflow markdown.
  • Recompiles the generated workflow so the permissions block is present in the sync_actions job in the lockfile.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/release.md Grants sync_actions the job-level write permissions required by the called reusable workflow.
.github/workflows/release.lock.yml Regenerated output reflects the new sync_actions job permissions block.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@github-actions github-actions bot mentioned this pull request Mar 12, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan