Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

fix: update stale workflow permissions for reusable workflow compatibility #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 2 commits into main from copilot/fix-333

Conversation

Copy link
Contributor

Copilot AI commented Sep 11, 2025
edited
Loading

The stale workflow was failing due to insufficient permissions for the reusable workflow at cpp-linter/.github/.github/workflows/stale.yml@main.

Error from Actions run:

Invalid workflow file: .github/workflows/stale.yml#L9
The workflow is not valid. .github/workflows/stale.yml (Line: 9, Col: 3): Error calling workflow 'cpp-linter/.github/.github/workflows/stale.yml@main'. The nested job 'stale' is requesting 'contents: read, pull-requests: write', but is only allowed 'contents: none, pull-requests: none'.

Root Cause:
The calling workflow only granted issues: write at the workflow level, but the reusable workflow's job requires additional permissions (contents: read and pull-requests: write) that were not available.

Solution:
Following GitHub Actions security best practices with job-level permissions (principle of least privilege):

  1. Set workflow-level permissions to permissions: {} (empty)
  2. Grant specific permissions only to the job that needs them:
    • contents: read
    • issues: write
    • pull-requests: write

This ensures the reusable workflow receives all required permissions while maintaining minimal privilege scope.

Before:

permissions:
 issues: write
jobs:
 stale:
 uses: cpp-linter/.github/.github/workflows/stale.yml@main

After:

permissions: {}
jobs:
 stale:
 permissions:
 contents: read
 issues: write
 pull-requests: write
 uses: cpp-linter/.github/.github/workflows/stale.yml@main

Fixes #333.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copy link
Contributor Author

Copilot AI commented Sep 11, 2025

@2bndy5 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs.

I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review.

 

...ility
Co-authored-by: 2bndy5 <14963867+2bndy5@users.noreply.github.com>
Copilot AI changed the title (削除) [WIP] fix: update stale workflow permissions for reusable workflow compatibility (削除ここまで) (追記) fix: update stale workflow permissions for reusable workflow compatibility (追記ここまで) Sep 11, 2025
Copilot AI requested a review from 2bndy5 September 11, 2025 07:48
Copilot finished work on behalf of 2bndy5 September 11, 2025 07:48
Copy link
Collaborator

duplicate with #334

Copy link
Collaborator

2bndy5 commented Sep 11, 2025

I'm getting confused which repo is which. All the related issues and PRs look the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@2bndy5 2bndy5 Awaiting requested review from 2bndy5

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: update stale workflow permissions for reusable workflow compatibility

AltStyle によって変換されたページ (->オリジナル) /