Skip to content

fix: move workflow permissions from job level to workflow level#507

Closed
jmeridth wants to merge 1 commit intomainfrom
fix/workflow-permissions-to-workflow-level
Closed

fix: move workflow permissions from job level to workflow level#507
jmeridth wants to merge 1 commit intomainfrom
fix/workflow-permissions-to-workflow-level

Conversation

@jmeridth
Copy link
Collaborator

@jmeridth jmeridth commented Mar 16, 2026
edited
Loading

What

Moves permissions declarations from job level back to workflow level across all workflow files.

Why

Workflow-level permissions sets the maximum token permissions for all jobs. With contents: read at workflow level, job-level contents: write was silently capped, causing Resource not accessible by integration errors (e.g., markPullRequestReadyForReview in mark-ready-when-ready).

Notes

  • Multi-job workflows (e.g., release.yml) now declare the union of all job permissions at workflow level, which is slightly broader per-job but avoids the cap issue
  • Reviewers should verify that no workflow previously had intentionally restricted job-level permissions that differ from other jobs in the same workflow

@jmeridth jmeridth requested a review from zkoppert as a code owner March 16, 2026 16:21
Copilot AI review requested due to automatic review settings March 16, 2026 16:21
@github-actions github-actions bot added the fix label Mar 16, 2026
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Moves GitHub Actions token permissions declarations from individual job blocks to the workflow level to avoid unintended permission capping that can break write operations.

Changes:

  • Hoists job-level permissions up to workflow-level across multiple workflows.
  • Expands workflow-level permissions in multi-job workflows to the union required by all jobs (notably release.yml).
  • Aligns workflows like mark-ready-when-ready with the permissions required for PR updates.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/scorecard.yml Moves id-token/security-events permissions to workflow scope.
.github/workflows/release.yml Sets workflow-level permissions to cover all reusable-workflow jobs.
.github/workflows/pr-title.yml Moves job permissions to workflow scope for reusable workflow invocation.
.github/workflows/mark-ready-when-ready.yml Elevates workflow permissions to support PR-ready transitions.
.github/workflows/codeql.yml Moves job permissions to workflow scope for CodeQL analysis.
.github/workflows/auto-labeler.yml Moves job permissions to workflow scope for label automation.

.github/workflows/release.yml
Comment on lines 8 to +14
permissions:
contents: read
attestations: write
contents: write
discussions: write
id-token: write
packages: write
pull-requests: read
@jmeridth
fix: move workflow permissions from job level to workflow level
12e4bee 
Job-level permissions are capped by workflow-level permissions. With
workflow-level set to only `contents: read`, job-level write permissions
were silently capped, breaking actions like markPullRequestReadyForReview.
@jmeridth jmeridth force-pushed the fix/workflow-permissions-to-workflow-level branch from 87a60d8 to 12e4bee Compare March 16, 2026 16:23
@jmeridth jmeridth marked this pull request as draft March 16, 2026 18:34
@jmeridth jmeridth closed this Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zkoppert zkoppert Awaiting requested review from zkoppert zkoppert is a code owner

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmeridth