Skip to content

fix: add actions:read permission for artifact download#6

Merged
dims merged 1 commit into
mainfrom
fix/pr-comment-artifact-permissions
Jan 31, 2026
Merged

fix: add actions:read permission for artifact download#6
dims merged 1 commit into
mainfrom
fix/pr-comment-artifact-permissions

Conversation

@dims

@dims dims commented Jan 31, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add missing actions: read permission to the Post PR Comment workflow so it can download artifacts from other workflow runs.

Motivation / Context

The workflow_run triggered workflow needs actions: read permission to download artifacts from the triggering workflow. Without this, the download-artifact action fails with "Resource not accessible by integration".

Error from run 21550864730:

Unable to download artifact(s): Resource not accessible by integration

Fixes: Follow-up to #5
Related: #3

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • Build/CI/tooling

Component(s) Affected

  • CLI (cmd/eidos, pkg/cli)
  • API server (cmd/eidosd, pkg/api, pkg/server)
  • Recipe engine / data (pkg/recipe)
  • Bundlers (pkg/bundler, pkg/component/*)
  • Collectors / snapshotter (pkg/collector, pkg/snapshotter)
  • Validator (pkg/validator)
  • Core libraries (pkg/errors, pkg/k8s)
  • Docs/examples (docs/, examples/)
  • Other: GitHub Actions workflows (.github/)

Implementation Notes

Added actions: read permission to .github/workflows/on-push-comment.yaml. This is the minimum permission needed to download artifacts from other workflow runs.

Testing

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert
  • Medium — Touches multiple components or has broader impact
  • High — Breaking change, affects critical paths, or complex rollout

Rollout notes: N/A - single line permission addition

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality — N/A
  • I updated docs if user-facing behavior changed — N/A
  • Changes follow existing patterns in the codebase
  • Commits are signed off (git commit -s) — DCO info

The workflow_run workflow needs actions:read permission to download
artifacts from other workflow runs. Without this, the download-artifact
action fails with "Resource not accessible by integration".

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Signed-off-by: Davanum Srinivas <[email protected]>
Copilot AI review requested due to automatic review settings January 31, 2026 21:08

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the missing actions: read permission to the Post PR Comment workflow, fixing an artifact download failure that occurred when the workflow tried to download coverage data from the triggering On Push Qualification workflow.

Changes:

  • Add actions: read permission to .github/workflows/on-push-comment.yaml to enable cross-workflow artifact downloads

@dims dims merged commit 8a44270 into main Jan 31, 2026
10 checks passed
@dims dims deleted the fix/pr-comment-artifact-permissions branch January 31, 2026 21:17
dims referenced this pull request in dims/aicr Feb 20, 2026
Add three new validation steps to the H100 inference test:

- Inference Gateway (#6): verify GatewayClass accepted and Gateway
  programmed with inference extension CRDs present
- Accelerator & AI Service Metrics (#4/#5): verify DCGM Exporter
  metrics, Prometheus scraping, and custom metrics API availability
- Secure Accelerator Access (#3): verify GPU access is DRA-mediated
  (no hostPath, no device plugin), with proper container security

Also adds diagnostics for gateway, metrics, and DRA state on failure.

Signed-off-by: Davanum Srinivas <[email protected]>
dims referenced this pull request in dims/aicr Feb 20, 2026
Add three new validation steps to the H100 inference test:

- Inference Gateway (#6): verify GatewayClass accepted and Gateway
  programmed with inference extension CRDs present
- Accelerator & AI Service Metrics (#4/#5): verify DCGM Exporter
  metrics, Prometheus scraping, and custom metrics API availability
- Secure Accelerator Access (#3): verify GPU access is DRA-mediated
  (no hostPath, no device plugin), with proper container security

Also adds diagnostics for gateway, metrics, and DRA state on failure.

Signed-off-by: Davanum Srinivas <[email protected]>
@github-actions

github-actions Bot commented May 2, 2026

Copy link
Copy Markdown
Contributor

This pull request has been automatically locked since it has been closed for 90 days with no further activity. Please open a new pull request for related changes.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants