Fix weekly workflow startup_failure caused by permissions mismatch#3684
Conversation
The weekly workflow was declaring 'actions: read' at the workflow and caller-job level and calling daily.yml as a reusable workflow. The consolidate-test-failures job in daily.yml requires 'actions: write' to delete individual per-job test-failure artifacts after merging them into a single consolidated artifact. Per GitHub's reusable workflow rules, GITHUB_TOKEN permissions can only be downgraded (not elevated) from the caller to the called workflow. So daily.yml's actions: write could not be granted when the caller only allowed actions: read, which causes the run to fail at startup with conclusion=startup_failure (observed on run 25622304450). Elevate 'actions' permission to 'write' both at the workflow level and on the run-daily-for-release-branches job that uses daily.yml, so the nested permission chain is satisfied. Other permissions (contents, pull-requests) are unchanged. Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe weekly GitHub Actions workflow now grants ChangesGitHub Actions Workflow Permissions
Estimated Code Review Effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## unstable #3684 +/- ##
============================================
- Coverage 76.66% 76.58% -0.08%
============================================
Files 162 162
Lines 80656 80656
============================================
- Hits 61831 61773 -58
- Misses 18825 18883 +58 🚀 New features to boost your workflow:
|
…3684) The weekly workflow has been broken since May 10. #3358 added a `consolidate-test-failures` job to `daily.yml` that needs `actions: write` to delete per-job artifacts. `weekly.yml` calls `daily.yml` as a reusable workflow but only grants `actions: read` Verified on my fork: `determine-release-branches` ran, the nested `daily.yml` matrix expanded, and the child jobs were started. Cancelled after that. Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
The weekly workflow has been broken since May 10: https://github.com/valkey-io/valkey/actions/runs/25622304450
#3358 added a
consolidate-test-failuresjob todaily.ymlthat needsactions: writeto delete per-job artifacts.weekly.ymlcallsdaily.ymlas a reusable workflow but only grantsactions: readVerified on my fork: https://github.com/sarthakaggarwal97/valkey/actions/runs/25760458519
determine-release-branchesran, the nesteddaily.ymlmatrix expanded, and the child jobs were started. Cancelled after that.Summary by CodeRabbit