Skip to content

fix: update stale workflow permissions for reusable workflow compatibility #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix: update stale workflow permissions for reusable workflow compatibility #335

wants to merge 2 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 11, 2025
edited
Loading

The stale workflow was failing due to insufficient permissions for the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml@main.

Error from Actions run:

Invalid workflow file: .github/workflows/stale.yml#L9
The workflow is not valid. .github/workflows/stale.yml (Line: 9, Col: 3): Error calling workflow 'cpp-linter/.github/.github/workflows/stale.yml@main'. The nested job 'stale' is requesting 'contents: read, pull-requests: write', but is only allowed 'contents: none, pull-requests: none'.

Root Cause:
The calling workflow only granted issues: write at the workflow level, but the reusable workflow's job requires additional permissions (contents: read and pull-requests: write) that were not available.

Solution:
Following GitHub Actions security best practices with job-level permissions (principle of least privilege):

  1. Set workflow-level permissions to permissions: {} (empty)
  2. Grant specific permissions only to the job that needs them:
    • contents: read
    • issues: write
    • pull-requests: write

This ensures the reusable workflow receives all required permissions while maintaining minimal privilege scope.

Before:

permissions:
  issues: write

jobs:
  stale:
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

After:

permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Fixes #333.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot SWE Agent
Copy link
Contributor Author

Copilot AI commented Sep 11, 2025

@2bndy5 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

@Copilot Copilot AI changed the title [WIP] fix: update stale workflow permissions for reusable workflow compatibility fix: update stale workflow permissions for reusable workflow compatibility Sep 11, 2025
@Copilot Copilot AI requested a review from 2bndy5 September 11, 2025 07:48
Copilot finished work on behalf of 2bndy5 September 11, 2025 07:48
@shenxianpeng
Copy link
Collaborator

duplicate with #334

@shenxianpeng shenxianpeng deleted the copilot/fix-333 branch September 11, 2025 07:55
@2bndy5
Copy link
Collaborator

2bndy5 commented Sep 11, 2025

I'm getting confused which repo is which. All the related issues and PRs look the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@2bndy5 2bndy5 Awaiting requested review from 2bndy5

Assignees

@2bndy5 2bndy5

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: update stale workflow permissions for reusable workflow compatibility
3 participants
@Copilot @shenxianpeng @2bndy5