Skip to content

fix: specify stale workflow permissions for org reusable workflow #160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
2bndy5 merged 3 commits into from
Sep 11, 2025
Merged

fix: specify stale workflow permissions for org reusable workflow #160

2bndy5 merged 3 commits into from
Sep 11, 2025

Conversation

Copy link
Contributor

Copilot AI commented Sep 11, 2025
edited
Loading

Problem

The stale workflow was failing due to a permissions mismatch when calling the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml@main. The error indicated that the calling workflow did not provide sufficient permissions for the reusable workflow's job-level permissions to inherit from, resulting in:

  • Job 'stale' requesting: contents: read, pull-requests: write
  • But only being allowed: contents: none, pull-requests: none

Solution

Updated .github/workflows/stale.yml to follow the principle of least privilege by moving permissions from workflow-level to job-level:

Before:

permissions:
  issues: write

jobs:
  stale:
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

After:

permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

Changes

  • Set workflow-level permissions to {} (empty object)
  • Added job-level permissions with exactly what the reusable workflow requires:
    • contents: read - for reading repository contents
    • issues: write - preserved from original (needed for stale issue management)
    • pull-requests: write - added to resolve the missing permission error

This change aligns with the pattern already used in other workflows in this repository (codeql.yml, pre-commit.yml, docs.yml) and resolves the permissions compatibility issue with the reusable workflow.

Fixes #159

This pull request was created as a result of the following prompt from Copilot chat.

The stale workflow in cpp-linter/cpp-linter is failing due to a permissions mismatch when calling the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml. The error indicates that the calling workflow does not provide sufficient permissions for the reusable workflow's job-level permissions to inherit from, resulting in the job 'stale' requesting 'contents: read, pull-requests: write', but only being allowed 'contents: none, pull-requests: none'.

To fix this:

  1. Set workflow-level permissions to {} in .github/workflows/stale.yml.
  2. Add job-level permissions for the stale job as follows:
permissions: {}

jobs:
  stale:
    permissions:
      contents: read
      issues: write
      pull-requests: write
    uses: cpp-linter/.github/.github/workflows/stale.yml@main

References:

Update the stale workflow so that it is compatible with the reusable workflow and permissions are set according to the principle of least privilege.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@github-actions github-actions bot added the bug Something isn't working label Sep 11, 2025
Copilot AI changed the title [WIP] Fix stale workflow permissions for compatibility with reusable workflow Fix stale workflow permissions to resolve reusable workflow compatibility Sep 11, 2025
Copilot AI requested a review from shenxianpeng September 11, 2025 07:32
@2bndy5 2bndy5 changed the title Fix stale workflow permissions to resolve reusable workflow compatibility fix: specify stale workflow permissions for org reusable workflow Sep 11, 2025
@2bndy5 2bndy5 marked this pull request as ready for review September 11, 2025 07:38
2bndy5
2bndy5 approved these changes Sep 11, 2025
View reviewed changes
Copy link
Contributor

@2bndy5 2bndy5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty cool.

2bndy5
2bndy5 reviewed Sep 11, 2025
View reviewed changes
@2bndy5 2bndy5 merged commit 3fca4e1 into main Sep 11, 2025
14 checks passed
@2bndy5 2bndy5 deleted the copilot/fix-f8c32980-2944-4aed-b6be-a0bec6a63164 branch September 11, 2025 10:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@2bndy5 2bndy5 2bndy5 approved these changes

+1 more reviewer

@shenxianpeng shenxianpeng shenxianpeng approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@shenxianpeng shenxianpeng

Copilot code review Copilot

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: update stale workflow permissions for reusable workflow compatibility

3 participants

@shenxianpeng @2bndy5