Skip to content

Fix weekly workflow startup_failure caused by permissions mismatch#3684

Merged
enjoy-binbin merged 1 commit into
valkey-io:unstablefrom
sarthakaggarwal97:fix/weekly-workflow-permissions
May 13, 2026
Merged

Fix weekly workflow startup_failure caused by permissions mismatch#3684
enjoy-binbin merged 1 commit into
valkey-io:unstablefrom
sarthakaggarwal97:fix/weekly-workflow-permissions

Conversation

@sarthakaggarwal97

@sarthakaggarwal97 sarthakaggarwal97 commented May 12, 2026

Copy link
Copy Markdown
Contributor

The weekly workflow has been broken since May 10: https://github.com/valkey-io/valkey/actions/runs/25622304450

#3358 added a consolidate-test-failures job to daily.yml that needs actions: write to delete per-job artifacts. weekly.yml calls daily.yml as a reusable workflow but only grants actions: read

Verified on my fork: https://github.com/sarthakaggarwal97/valkey/actions/runs/25760458519 determine-release-branches ran, the nested daily.yml matrix expanded, and the child jobs were started. Cancelled after that.

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow permissions to enable enhanced automation capabilities during release operations.

Review Change Stack

The weekly workflow was declaring 'actions: read' at the workflow and
caller-job level and calling daily.yml as a reusable workflow. The
consolidate-test-failures job in daily.yml requires 'actions: write'
to delete individual per-job test-failure artifacts after merging them
into a single consolidated artifact.

Per GitHub's reusable workflow rules, GITHUB_TOKEN permissions can only
be downgraded (not elevated) from the caller to the called workflow.
So daily.yml's actions: write could not be granted when the caller
only allowed actions: read, which causes the run to fail at startup
with conclusion=startup_failure (observed on run 25622304450).

Elevate 'actions' permission to 'write' both at the workflow level and
on the run-daily-for-release-branches job that uses daily.yml, so the
nested permission chain is satisfied. Other permissions (contents,
pull-requests) are unchanged.

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 6aba6c40-f85c-443e-ac41-076fe9c910b3

📥 Commits

Reviewing files that changed from the base of the PR and between d4337d6 and 2e019cb.

📒 Files selected for processing (1)
  • .github/workflows/weekly.yml

📝 Walkthrough

Walkthrough

The weekly GitHub Actions workflow now grants write permissions to the actions scope at both the workflow and job level, elevated from read. These changes affect the workflow-level permissions block and the run-daily-for-release-branches job permissions.

Changes

GitHub Actions Workflow Permissions

Layer / File(s) Summary
Workflow and job-level action permissions upgrade
.github/workflows/weekly.yml
Workflow-level and job-level permissions.actions both changed from read to write in the weekly.yml workflow configuration.

Estimated Code Review Effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A workflow once whispered with caution so tight,
"Read only," it said, "Keep actions in sight."
But now with a write, permissions take flight—
The weekly.yml dances through GitHub's night! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: fixing a GitHub Actions workflow permissions issue that was causing startup failures.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.58%. Comparing base (d4337d6) to head (2e019cb).

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #3684      +/-   ##
============================================
- Coverage     76.66%   76.58%   -0.08%     
============================================
  Files           162      162              
  Lines         80656    80656              
============================================
- Hits          61831    61773      -58     
- Misses        18825    18883      +58     

see 23 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@enjoy-binbin enjoy-binbin merged commit fc849f0 into valkey-io:unstable May 13, 2026
63 checks passed
lucasyonge pushed a commit that referenced this pull request May 14, 2026
…3684)

The weekly workflow has been broken since May 10.

#3358 added a `consolidate-test-failures` job to `daily.yml` that
needs `actions: write` to delete per-job artifacts. `weekly.yml` calls
`daily.yml` as a reusable workflow but only grants `actions: read`

Verified on my fork:
`determine-release-branches` ran, the nested `daily.yml` matrix
expanded, and the child jobs were started. Cancelled after that.

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants