From d069cfeb87945d14108d02f4baba19d790e7407a Mon Sep 17 00:00:00 2001 From: Sam Erde <20478745+SamErde@users.noreply.github.com> Date: Tue, 2 Jun 2026 09:22:00 -0400 Subject: [PATCH] fix(ci): grant pull-requests: read to the release build-and-test caller Release-and-Publish startup_failed on both pull_request:closed and workflow_dispatch after #228, so 2.2.0 never published. Root cause: #228 added a "changes" job to the reusable Build Module.yml that declares pull-requests: read. Release calls that workflow via uses:, and its build-and-test caller granted only contents: read + security-events: write. A reusable workflow's jobs may not request permissions the caller did not grant; GitHub validates this STATICALLY at startup (before any if: skip), so even though "changes" is skipped on the workflow_call path, the excess request fails the whole run before it starts. Grant pull-requests: read on the caller so static validation passes. The permission is unused on the release path (the "changes" job is skipped there) and is read-only and minimal. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/Release-and-Publish.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/Release-and-Publish.yml b/.github/workflows/Release-and-Publish.yml index 046e332..57d98a6 100644 --- a/.github/workflows/Release-and-Publish.yml +++ b/.github/workflows/Release-and-Publish.yml @@ -315,6 +315,11 @@ jobs: permissions: contents: read security-events: write + # Required by the called "Build Module.yml": its `changes` job declares pull-requests: read. + # A reusable workflow's jobs may not request permissions the caller did not grant, and GitHub + # validates this STATICALLY at startup -- even though `changes` is skipped on the release + # (workflow_call) path. Without granting it here the release run fails to start (startup_failure). + pull-requests: read with: ref: ${{ needs.analyze.outputs.release_sha }}